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ABSTRACT 


This paper is intended to be used as a guide by personnel 
at the Navy Finance Center (NFC), Cleveland, Ohio in de- 
veloping an Automatic Data Processing (ADP) Security Plan. 

An effort has been made to combine the requirements for an 
ADP security plan established by OPNAVINST 5239.1A with per- 
tinent information from other selected readings. 

The importance of the devotion of personnel, time and 
funds to ADP security planning has been emphasized. Indi- 
vidual chapters have been devoted to the elements that must 
ye considered when developing an ADP security plan. They 
include risk assessment, physical security, systems security, 
contingency planning and the managerial procedures necessary 
for the implementation of an ADP security plan. 

This paper, used in conjunction with OPNAVINST 5239.14, 
should provide ample guidance for the development of an ini- 


tial ADP security plan for NFC, Cleveland. 
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I. BACKGROUND AND PURPOSE 


The purpose of this paper is to provide a guide that 
will assist the staff of the Navy Finance Center (NFC) in 
Cleveland, Ohio with the preparation of a realistic automatic 
data processing (ADP) security plan. The requirement for the 
development of an ADP security plan by all Department of the 
Navy sponsored ADP activities will be explained. The need 
for a workable ADP security plan will become evident as the 


Navy's personnel and pay (PERSPAY) phasing plan is detailed. 


iiembepury Chief of Naval Operations (Manpower, Personnel 
and Training) /Navy Comptroller (DCNO(MP&T) /NAVCOMPT) Brand X 
Beieemorayewas conducted collectively by representatives of 
the Bureau of Naval Personnel, Navy Finance Center and Naval 
Data Automation Command. Its results were published on 15 
February 1979. "The purpose of this study was to conduct an 
economic analysis of four alternatives for the site selection 
of the 'Brand X' computer equipment for the Navy Finance Cen- 
ter (NAVFINCEN), Cleveland, Ohio and the Bureau of Naval Per- 
sonnel (BUPERS), Washington, D.C. Work began in May 1978 
with completion scheduled for July 1978 then rescheduled for 
tonumay sl979" (Ref. 1: pee 1-1]. 

Why was the Brand X study conducted? 

Both BUPERS and NAVFINCEN are receiving computer support 


from computer centers with hardware authorized by interim 
delegation of procurement authority (DPA) from the General 
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Services Administration (GSA). The BUPERS interim DPA 
expires in April 1979 and the NAVFINCEN interim DPA ex- 
pires in January 1979. In July 1978, an extended DPA was 
granted for continued use of the BUPERS 370/165 computer 
and NAVFINCEN's IBM dual 370/158 computer system through 
February 1982. BUPERS and NAVFINCEN have been directed by 
GSA to replace their present computer systems through the 
competitive procurement process. BUPERS and NAVFINCEN will 
procure these replacements through a single joint effort, 
which will be referred to as the "Brand X" computer pro- 
curement. The determination of the ultimate site/sites of 
the "Brand X" computer equipment will be the purpose of 
this economic analysis. Peer. Lsep. l=2] 

When the results of the Brand X study were published on 
15 February 1979, the recommendation was that the BUPERS and 
NAVFINCEN Brand X computers be co-located at the Navy Finance 
Center (Bratenaal Annex) in Cleveland, Ohio [Ref. 1: p. 
1-4]. 

"Tn March 1978 the Navy initiated the PERSPAY project to 
to combine the ADP procurement offorts of DCNO(MP&T) and 
NAVCOMPT" [{Ref. 2: p. 1]. The primary purpose of the 
PERSPAY project is to lower costs by initiating one instead 
of two separate competitive procurements and to provide a 
formal management discipline by employing the Commander, 
Naval Data Automation Command (NAVDAC) as the project mana- 
ger. For the purpose of this paper, the PERSPAY project is 
best viewed as an opportunity to facilitate the interface of 
Dbayeand personnel information systems [Ref. 2: p. 2]. 

The culmination of efforts to join pay and personnel sys- 
tems will be the dedication of a consolidated data center in 


Cleveland, Ohio during March, 1987, but the phasing-in pro- 


cess of this major merger is already underway. 


i 





Large volumes of information have become easier to store 
as computer technology has been improved. As people have 
become more familiar with computers, the information stored 
in the computer has become more easily accessible to more 
people. The advent of remote terminals has made information 
stored in computers more readily accessible to more people 
than ever before. The purpose of this paper now becomes 
clear. Information that used to be locked in a file cabinet, 
in a locked office with a guard at the main entrance of the 
building, was considered secure. Unless there were signs 
of forced entry, you could be reasonably certain that the 
information in the locked file cabinet had not been compro- 
mised in your absence. Much of the same information that 
used to be stored in the locked file cabinet is now stored 
in computers. With remote computer terminals being readily 
accessible, can the same feeling of security be maintained 
about the information stored in the computer as there was 
when it was stored in a file cabinet? Obviously not. In- 
formation security is no longer a simple matter of locking 
papers in a drawer. 

A security plan is needed at NFC Cleveland because of the 
type of data that is stored in their ADP facility. As we can 
best determine, the information that is presently stored in 
the computer at NFC Cleveland and the information that will 
be stored in the computer when the consolidated data center 


evolves will be information protected by the “Privacy Act of 


16 





feet. eMoOre specifically, the “Privacy Act of 1974" states 
ene LOllowing: 
(a) The Congress finds that: 


ly) he privacy @f an individual is directly a£f- 
fected by the collection, maintenance, use, and 
dissemination of personal information by Federal 
agencies; 


(2) the increasing use of computers and sophisticated 
information technology, while essential to the 
efficient operations of the Government, has 
greatly magnified the harm to individual privacy 
Lites Occur feom any coLlection, Maintenance, 
use, Or dissemination of personal information; 


(3) the opportunities for an individual to secure 
employment, insurance, and credit, and his right 
to due process, and other legal protections are 
endangered by the misuse of certain information 
systems; 


(4) the right to privacy is a personal and funda- 
mental right protected by the Constitution of the 
United States; and 


(5) in order to protect the privacy of individuals 
identified in information systems maintained by 
Federal agencies, it 1S necessary and proper for 
the Congress to regulate the collection, main- 
tenance, use, and dissemination of information 
by such agencies. 


(b) The purpose of this Act is to provide certain safe- 
guards for an individual against an invasion of per- 
sonal privacy by requiring Federal agencies, except as 
otherwise provided by law, to: 


(1) permit an individual to determine what records 
pertaining to him are collected, maintained, used, 
or disseminated by such agencies; 


(2) permit an individual to prevent records pertaining 
to him obtained by such agencies for a particular 
purpose from being used or made available for 
another purpose without his consent; 


Mpc rMitc di individual to galnm access to inftorma-— 
tion pertaining to him in Federal agency records, 


My 





to have a copy made of all or any portion there- 
of, and to correct or amend such records; 


(4) collect, maintain, use, or disseminate any record 
of identifiable personal information in a manner 
that assures that such action is for a necessary 
and lawful purpose, that the information is cur- 
rent and accurate for its intended use, and that 
adequate safeguards are provided to prevent mis- 
use of such information; 

(5) permit exemptions from the requirements with re- 
Spect to records provided in this Act only in 
those cases where there 1s an important public 
policy need for such exemption as has been de- 
termined by specific statutory authority; and 

(6) be subject to civil suit for any damages which 
occur as a result of willful or intentional ac- 
tion which violates any individual's rights 
under this Act. [Ref. 3: p. 1] 

The Commanding Officer or any person associated with ADP 
may, now, be held more directly responsible for his actions. 
It means that the Commanding Officer and any other person 
that works at the data center can be subject to a civil suit 
for any damages which occur as a result of willful or in- 
tentional action which violates any individual's rights under 
the "Privacy Act of 1974." This means that the Commanding 
Officer can be held financially liable from his personal 
funds for improper actions by himself concerning Privacy Act 
information. Military and civilian government employees have 
had to spend personal funds because of improper action con- 
cerning computer security. 


As could be expected in any area with such possible far- 


reaching impact as computer security, the Department of the 
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Navy (DON) has issued OPNAVINST 5239.1A dated 3 August 1982 


that requires all DON automatic data processing (ADP) acti- 


vVities to submit a copy of their activity ADP security plan 


(AADPSP) to the Commander, Naval Data Automation Command 


(COMNAVDAC) for approval within nine months of the date of 


Suess instruction (Ref. 4: p. 3]. The objectives of the in- 


structions are much farther reaching than merely imposing a 


requirement on all DON ADP activities. The stated objectives 


are to: 


a. 


ome 


Provide centralized guidance and uniform policy on all 
known and recognized aspects of ADP security. 


Provide a graduate program of ADP security which is re- 
sponsive to the security requirements and needs of ADP 
systems and networks commensurate with their data sen- 
Srelyiey ana mLSSion criticality. 


Provide for operational reliability and asset integrity 
for all ADP systems and networks. 


Provide realistic guidance and generalized procedures 
to ensure that all data handled by ADP activities and 
networks are adequately protected against accidental or 
imieentional destruction, modification, and disclosure, 
and users are protected against denial of service which 
may result from events such as fraud, misuse, espion- 
age, sabotage, malicious acts, natural hazards, or 
meee tRet. 4: p. 2-3] 


The fact that the instruction exists and imposes a re- 


quirement for an activity ADP security plan (AADPSP) shows us 


that the Navy recognizes the seriousness of the situation. 


The value of this instruction is increased drastically be- 


Cause it describes "how to" develop each part of a total ac- 


ewer seCuLity program. Et 1S stated in the instruction 


that an AADPSP should address the following areas: 
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(1) 
(2) 
((3)) 


(4) 


(3) 


(6) 
(7) 
(8) 
i) 


(10) 


scope of the activity ADP security program. 
Commanding Officer's policy statement. 


ADP security organization and assignment of 
responsibilities. 


Objectives for implementing the DON ADP security pro- 
Gratieat the activity. 


Top level description of the current ADP security 
environment: 


(a) hardware; 
(b) software; 
(c) physical facility/security; 


(dq) personnel; 


(e) emanations; 
(f) administrative/operating procedures. 
Pied lneng « 


Audit/internal review. 
Provisions for ADP security in life cycle management. 


Provisions for ADP security in hardware and software 
eontigquratilonecentrol . 


Activity accreditation schedule identifying all ADP 
elements and a plan of action and milestones (POA&M) 
for completing the following: 


(a) Risk assessments; 
(b) Security tests and evaluations (STS&Es) ; 
(c) Contingency planning and testings; 


(aie Accreditations. 


Updating the AADPSP should be a principle of the execution 
of the plan. The AADPSP should be a living document for 
baselining, updating, improving, developing, maintaining, 
and managing ADP security requirements within the DON ADP 
activity. The AADPSP should serve as a comprehensive 
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document of security posture and plans for the Commanding 
Officer and ADPSO. The ADPSO is responsible for develop- 
ing, implementing, and updating the AADPSP. [Ref. 4: pp. 
H-1 - H-2] 

Although OPNAVINST 5239.1A imposes the requirement for an 
AADPSP and gives good guidance on how to develop the plan, it 
is the purpose of this paper to amplify the most important 
areas of OPNAVINST 5239.1A while introducing some areas that 
are not mentioned in OPNAVINST 5239.1A and should possibly be 
included in NFC's AADPSP. It is intended that this paper be 
used as a working tool to help NFC personnel develop an 
AADPSP that not only satisfies OPNAVINST 5239.1A requirements 
but will be a legitimately useful document for ensuring and 
safeguarding the efficient running of the NFC. 

Before the section on plan development is begun, a few 
additional comments about OPNAVINST 5239.1A and the specific 
Situation at the NFC are appropriate. It should be under- 
stood that an AADPSP that is developed for the current situa- 
tion at the NFC will have to be under a continuous review and 
modification as the facility changes and it gets closer to 
the dedication date for the consolidated data center. This 
does not mean that less effort should be put into the initial 
draft of the AADPSP. A good initial AADPSP will serve as a 
sound base from which to improve the security posture. 

OPNAVINST 5239.1A addresses the subject of an activity 


ADP security staff. From our research we have ascertained 


that most Navy ADP facilities do not have a formal security 
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staff as described in OPNAVINST 5239.1A. In most cases ADP 
security has been assigned as a less important collateral 
duty to one or at most two persons. It is understood that 
the assignment of ADP security staff duties to the present 
staff at most commands without additional personnel would 
cause an undue hardship on personnel and possibly endanger 
the command's mission. It is therefore recommended that 
duties be assigned to current personnel only until permanent 
positions can be requested, approved and filled. The initial 
personnel assigned to the ADP security staff must move for- 
ward in the development of an AADPSP and therefore it is 
recommended that members of this staff be carefully reviewed 
and selected from all volunteers. The implementation of a 
Viable ADP eae plan will require significant increases 
in staff, time and money. 

The remainder of this paper will be devoted to the ampli- 
fication of subjects on how to best develop and implement an 
AADPSP. The following subject areas will be addressed: de- 
velopment of a plan of action and milestones (POA&M); types 
of ADP security; risk assessment; physical security; mana- 
gerial procedures; systems security; contingency plan de- 
velopment; procedures for handling security violations; ADP 
security training plan development; and how to prepare for an 


ADP secumity audit. 
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II. SECURITY STAFF ORGANIZATION AND THE DEVELOPMENT 
OF A PLAN OF ACTION AND MILESTONES (POAM) 


A. INITIAL ORGANIZATION 

The first step in the development of an ADP security plan 
will be the organization of an ADP security staff. While 
conducting research for this paper, it was noted that the 
majority of governmental ADP organizations in which we made 
contact do not have formal staffs devoted to ADP security. 
In most cases, the responsibility had been delegated to one 
person as a collateral duty. Most command representatives 
interviewed recognized the need for a full time ADP security 
staff but, because of manning allowances, the movement has 
been slow. The advent of OPNAVINST 5239.1A has imposed the 
requirement for an ADP security staff and defined each mem- 
ber's responsibility. The existence of OPNAVINST 5239.1A 
should provide the much-needed formal justification for com- 
mands to obtain the manning for a proper ADP security staff. 
The implementation of a proper ADP security staff may not 
happen immediately, but should be phased in during the near 


future. 


Be LYPES OF DATA 
The responsibilities of the Commanding Officer must ini- 


tially be defined when organizing an ADP security staff, and 
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the type of data to be protected must be determined because 
the Commanding Officer's responsibilities will vary depending 
on the type of data to be safeguarded. At NFC Cleveland, it 
has been determined that the highest data type of information 
to be safeguarded will be Level II as defined by OPNAVINST 
9239.1A. The definitions of the different levels of data 
classification are as follows: 

Level I. Classified data; 


beveleit. Unclassified data requiring special protection, 
Se d-yemmeavacy Act, Fer Official Use Only, etc.; 


Level III. All other unclassified data. [Ref. 4: p. 1-2] 


C. RESPONSIBILITIES OF THE COMMANDING OFFICER 

When the type of data to be protected has been properly 
classified into the appropriate level, the responsibilities 
of the Commanding Officer can be defined. The Commanding 
Officer of NFC Cleveland, where Level II data will be the 
most highly classified data, will be the Designated Approving 
Authority (DAA) for the accreditation of his ADP facility. 
As DAA for NFC Cleveland, the Commanding Officer's responsi- 
bilities will be as follows: 


1. Develop an AADPSP and submit it to COMNAVDAC for ap- 
proval (see Appendix H of Ref. 4); 


2. Conduct a risk assessment (see Chapter 5 and Appendix 
E of Ref. 4); 


Semmmevelop a Security Test and Evaluation (ST&E) Plan and 
conduct a ST&E (see Chapter 6 of Ref. 4); 


4. Document the ST&E results (see Appendix H of Ref. 4); 
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>. Develop a contingency plan (see Chapter 7 of Ref. 4); 


6. Prepare the accreditation support documentation (see 
Appendix H of Ref. 4); 


7. Issue a Statement of Accreditation as described in 
Paragraph 3.3C Of Ref. 4: 


8. Forward information copies of the accreditation sup- 
port documentation and Statement of Accreditation to 
COMNAVDAC ; 

9. Provide logistic and administrative support to the 
ST&E test team as appropriate (if external from 
eeiny dry) + 


10. Fund technical assistance if local assistance is re- 
guested from COMNAVDAC. [Ref. 4: pp. 3-6 -3-7] 


The Commanding Officer, who is also the DAA for his ac- 
tivity, has the responsibility to declare his activity as 
either accredited or not accredited. He must declare one or 
the other. Accreditation is defined as the DAA's formal 
declaration that appropriate ADP security countermeasures 
have been properly implemented for the ADP activity. ADP 
activities not accredited may operate if the appropriate DAA 
has issued an interim authority to operate. Interim authori- 
ty to operate is granted for a fixed period of time, gener- 
ally a year, and is usually contingent upon certain conditions 
being met. Interim authority to operate 1s not a waiver of 


the requirement for accreditation. [Ref. 4: p. 3-1] 


D. RESPONSIBILITIES OF STAFF MEMBERS 
The importance of the Commanding Officer as an integral 
PEaeememeine development of a viable and successful ADP se- 


elrieyeolan Cannot be overemphasized. A task that the 
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Commanding Officer should undertake as soon as possible is 
the organizing of a good ADP security staff, defining their 
responsibilities and establishing a Plan of Action and Mile- 
stones (POAM) for the implementation of a successful security 
plan. The positions that are recommended on an ADP security 
staff are as follows: 

@ ADP Security Officer (ADPSO) ; 

@ ADP Systems Security Officer (ADPSSO) ; 

@e Network Security Officer (NSO); 

@e Terminal Area Security Officer (TASO) ; 


e Office Information System Security Officer (OISSO) [Ref. 
4: p. A-2]). 


The responsibilities of the ADPSO, ADPSSO, NSO and TASO 
are clearly defined in Chapter 2 of OPNAVINST 5239.1A. lLike- 
wise, the responsibilities of the OISSO are defined in Chap- 
ben 4 .50f£ OPNAVINST 5239.1A and Chapter III of this thesis. 

It would normally be expected that there would be only one 
ADPSO and ADPSSO at each command. As the PERSPAY project 
becomes more fully developed and staffed, it may be necessary 
to provide assistants to the ADPSO and ADPSSO as required. 
The number of NSO's, TASO's and OISSO's will be dictated by 
the size of the operation, availability of personnel for 
assignment and the importance that the command places on ADP 
security. The command importance is reflected directly from 
the Commanding Officer. It is suggested that as many people 


aS possible be aware of ADP security. This will facilitate 
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communication and training in ADP security areas while em- 
phasizing the importance placed on ADP security by the Com- 


manding Officer. 


E. INITIAL STAFF MEETINGS 

After the initial ADP security staff requirements have 
been made, an initial meeting of all staff members should be 
called. In this meeting, the Commanding Officer should com- 
Municate his opinions and priorities concerning ADP security 
while tasking the group to develop a feasible ADP security 
plan. The Commanding Officer should not be a normal partici- 
pant at security staff meetings but should participate ran- 
domly at selected meetings in order to re-emphasize his 
Opinions about ADP security and ensure the meetings are con- 
Gucted in an appropriate manner. Communication of the Com- 
manding Officer's seriousness about ADP security anda 
general awareness of basic steps that must be followed to 
ensure ADP security should be the initial assignment of the 
ADP security staff. The development of an ADP security plan 
Miweteincg 1S Only as good as it 1S communicated to the per- 
sonnel that must implement the plan. 

The first assignment of ADP security staff members, in 
addition to basic communication, should be for each of them 
to fill out the Security Checklist Assessment that is con- 
Boimiceamin Appendix A. This checklist 1s taken from OPNAVINST 


5239.1A and will serve as a reference point from which the 


| 





second meeting can be developed. By filling out the check- 
list, 1t will cause the members of the security staff to 
become more familiar with ADP security at their own command. 
During the second meeting, which should be held as soon as 
Beactical, but allowing sufficient time for the Security 
Checklist Assessment to be properly reviewed, the results of 
the Security Checklist Assessment can be used for a basis to 
develop a Plan of Action and Milestones for the development 
Of the ADP security plan. As the PERSPAY project is de- 
veloped and the facility grows, a routine review of security 
using the checklist in Appendix A would keep the organization 
meving in the right direction. After the plan has been ap- 
Paevea and the facility has received certification, the plan 
must be constantly reviewed to ensure that it continues to 
warrant accreditation. A review must be made at least every 
mive years to verify that accreditation is still merited 
meefto 4: p. 5-1). 

The results of the security checklist assessment in con- 
@uncedon with the initial risk assessment as prescribed by 
OPNAVINST 5239.1A will serve as the basis for a realistic 
POAM in the development of the security plan. Before making 
dsesitqnments and establishing milestones, a careful review of 
the chapters discussing risk assessment, physical security, 
administrative security, system security and disaster re- 


covery/contingency plan development would be appropriate. 
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The organization of a dedicated professional security 
staff with a realistic POAM is a necessary requirement. NFC 
Cleveland has the beginnings of a good security staff and 
the NFC Bratenahl Annex Security Manual discusses physical 
security and disaster recovery in some depth. With a little 
effort and time, NFC Cleveland could have an effective se- 
curity staff and a viable security plan. The development of 
an efficient security plan that 1s constantly reviewed and 


updated must be the goal of NFC Cleveland. 
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i ees MOrOECURL LY 


A. OVERVIEW 
Within the scope of this paper, two major topics per- 
taining to security will be discussed as being essential for 
an automatic data processing (ADP) security program at the 
Navy Finance Center. The first topic is referred to as com- 
puter security and includes the following major subtopics. 
imemamystcal Security of Plant and Equipment 
Included under this subtopic are the physical mea- 
Sures--guards, fences, locks, etc.--which are used to control 
entrance to the computer facility, and measures taken to pro- 
tect the computer from damage--fire extinguishers, sprinkler 
ocems, ECC. 
2. Management Practices 
This includes administrative, organizational, and 
personnel procedures designed to promote security within the 
activity. Examples are segregation of duties between systems 
analysts, programmers and computer operators; proper hiring 
procedures, etc. 
peesyscems Security 
Hardware, software, communication, and data controls 


are included in systems security. 
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4°. Contingency Planning 


This area is concerned with backup systems which will 
allow a unit to accomplish its mission even though there is a 
Poocewonr GiSruption Of the primary system. This is done 
through the use of alternate facilities and methods which 
help to minimize the effects of a disruption in the system. 

Giese areas will be more fully discussed in Chapters 
eechrough § of this paper. 

The other major topic is office information system 
(OIS) security. Since OIS security has been included as a 
requirement in accordance with Reference 4 and has been put 
under the purview of the ADP Security Officer, it has been 


included in Section B of this chapter. 


Peon cURETY OF OFFICE INFORMATION SYSTEMS 

As previously mentioned, Reference 4 directs that se- 
curity procedures will be implemented for office information 
systems. To clarify exactly what should be classified as an 
OIS the following definition is provided. 


Office Information System (OIS). Any electronic system 
which is designed specifically for the purpose of and is 
being used primarily for office information applications. 
Office information applications are those functions nor- 
mally performed in an office environment dealing with docu- 
ments--including reports, memoranda, notes, correspondence, 
letters, messages, files, records, forms, working papers, 
and other textual information. Office information applica- 
tions include document preparation (word processing), docu- 
ment storage, document retrieval, document manipulation 
(seuimnaG, indexing, etc.), and distribution (electronic 
mail). Office information system equipment (OISE) excludes 
typewriters, office copy machines, and other devices which 
have no text editing capability as well as general purpose 
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and specially designed ADPE which is designed primarily to 
be applied through the internal execution of a series of 
PiceEuettons—-—-not limited to specific key-stroke functions, 
but controlled by a general purpose data processing lan- 
guage--to process a variety of applications such as finan- 
Clal management, logistics, scientific, communications, and 
the like. (Department of the Navy Definition) [Ref. 4: p. 
A~13] 

Because of the similarities between ADP equipment and 
OISE, CNO in Chapter 4 of Reference 4 sets out the following 
policy guidelines for OIS security: 

1. OIS will be considered a subset of ADP systems and 
therefore the ADP Security Officer (ADPSO) will have cogni- 
zance over the security of the office information systems; 

2. The ADPSO will ensure that an Office Information 
Security Officer (OISSO) is assigned to each OIS; 

3. OIS security violations will be handled in the same 
manner as for any ADP system with the OISSO reporting viola- 
mrons GO the ADPSO; 

4. The ADPSO will maintain an inventory of all OIS'‘s 
mich will include, as a minimum, the following information: 

SeeeeraGentilrication Of OS; 
peeeerocatroen Of OIS; 
c. Name of OISSO; 


d. Data sensitivity level authorized for system (see Chap- 
mer IL); 


e. System type; 
f. Type of media; 


g. Security mode authorized for operation. 
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9. The ADPSO will ensure that there is a written securi- 
ty Operating procedure for the OIS and that it is available 
fo SyYSctems USers; 

6. Because the Navy Finance Center handles only Level II 
data (Privacy Act or For Official Use Only data) or Level III 
data (all other unclassified data), it has the option of 
either securing its OISs as it does its ADP systems or it can 
apply the minimum appropriate countermeasures to achieve the 
security requirements outlined below [Ref. 4: p. 4-2]: 


a. Steps will be taken to prevent loss of the OIS from 
natural hazards, fire, theft, and/or malicious acts; 


b. Whenever possible, the manufacturer's specifications 
for temperature and humidity will be followed; 


c. A contingency plan for each OIS will be prepared or, 
when applicable, a group of OISs can be covered by a 
Single plan; 


d. If Level II data is processed in an OIS the following 
additional requirements must be met: 


1. Countermeasures, including hardware, software, and/ 
or administrative procedures, will be used to pre- 
vent unauthorized disclosure, modification or de- 
Struct ton Of Gddta- 


Se Audit trails which will include Identification of 
the user, date and time accessed, and file(s) ac- 
cessed or created will be included; 


e. Tf Level I data is ever entered into an OIS the securi- 


ty requirements referenced in Paragraph 4.3c of Rei. 4 
must be implemented. 
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IV. RISK ASSESSMENT 


A. OVERVIEW 

ADP risk assessment is a method for quantifying the im- 
pact of potential threats on organizations supported by auto- 
itere Gata processing [Ref. 5: pop. 5]. Basically, it is a 
method where risks are identified and quantified as to possi- 
ble dollar impact over a special period. This allows the 
activity to determine if it will be cost effective to imple- 
ment countermeasures to reduce the risk. In this respect, it 
is much like an auditor dollarizing potential loss areas so 
that he can focus on the areas that appear to have the great- 
est amount of possible benefit. Risk assessment is the mid- 
dle phase in the Risk Management Program consisting of 
(1) Development of an automatic data processing activity 
eleinyeei2) risk assessment, and (3) countermeasure impile- 
mentation and effectiveness review. The activity ADP securi- 
ty plan was discussed in Chapter II. This chapter will 
discuss the final two steps of the Risk Management Program. 
Basically these steps consist of determining what the risks 
aeeyeene Countermeasures available to limit the risks, and 
Pme Cosemerrectiveness Of implementing these countermeasures. 

Pemus pointed Out in this chapter, a number of personnel 
will be needed on the risk assessment team with the result 


that the cost of risk assessment may be quite high, and 
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emetetore the activity should budget sufficient dollars for 
manpower and material for the ADP staff. An additional con- 
sideration during risk assessment is that if security mea- 

sures are too restrictive processing costs may rise and the 


system may prove cumbersome to the user. 


me 6DENEF ITS 
There are three major benefits that an agency receives 
from performing risk assessment [Ref. 6: p. 9]: 


e It provides a basis for deciding whether additional 
security safeguards are needed; 


® dit ensures that additional security safeguards will help 
to counter all the serious security risks; 


e It saves money that might have been wasted on safeguards 
which do not significantly lower the overall risks and 
exposures. 
C. ROLE OF MANAGEMENT 

In accordance with Reference 4, a risk analysis must be 
conducted at each ADP activity. The success of the risk 
analysis could very well be dependent on top management sup- 
port. The four following items are needed to ensure the suc- 
Sess Of the risk analysis [Ref. 5: opp. 5-6]: 


e® Management support of the project expressed to all 
levels of the organization; 


e Management explanation of the purpose and scope of risk 
analysis to the team and other applicable members of the 
Gmuganization; 


e Management selection of qualified team and formal dele- 
gation of authority and responsibility; 


e® Management review of the team's findings. 
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As an expression of management interest and to document 
objectives, responsibilities, and a plan of action and mile- 
stones (POAM) for conducting the risk assessment, and to en- 
sure departmental support, Reference 4 recommends that a 
Risk Assessment Team Charter be issued as an activity notice. 
A sample Risk Assessment Team Charter is included in Appendix 


ene 


be = COMPOSITION OF TEAM 

The third element above, a selection of a qualified team, 
calls for more elaboration. Just as in an organization where 
the quality of the people can mean the difference between 
success or failure of a unit, the same is true of the success 
or failure of the risk assessment program. The team at a 
minimum should consist of at least one experienced repre- 
Bemntacive from each of the following functions [{Ref. 6: p. 
9]: 


e The operating unit supported by or having jurisdiction 
over the data under consideration; 


e The programmers responsible for support of the operation 
Omerunctlion under consideration; 


e The unit responsible for managing ADP operations; 


e The system programmers--if the agency has this as a 
separate function; 


e The person assigned the responsibility for overseeing 
or auditing systems security; 


e Those responsible for physical security. 
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Members do not have to be limited to just these functions. 
The team may well include participants from the legal and 
personnel departments or at least consultations with these 
people about different aspects of security and risk be held. 
The team leader should be knowledgeable in security and 
should understand the relationship of systems in the overall 
Organization. Additionally, he should not be the sole repre- 
sentative from his function. He should not have to fill both 
the role of team leader and function representative as this 
may bias him on certain issues and interfere with the objec- 
tivity he needs to oversee the complete risk assessment pro- 
gram. FIPS Pub 65 recommends that the team leader be 
selected from either ADP operations, systems programming 
(analysis) or internal auditing [Ref. 5: p. 6]. Passages 
from Sawyer indicate that the internal auditor has to be very 
careful and can not appear to be "authorizing" a system or 
etemacing controls [Ref. 7: pp. 353-393]. Therefore, it is 
recommended that the internal auditor not be the team leader, 
wore oring member’ sof the risk assessment team, as LE may 
well affect his impartiality when it comes time to evaluate 
the system. However, his insights and expertise are needed 
in the risk assessment and therefore he should be included 
for all sessions as a non-voting member. His role should be 


Eat OF a consultant. 


a7 





B=. DERINITIONS 

In the literature of risk assessment a number of words 
arise frequently that will be defined here for clarification 
purposes. These words are threat, vulnerability, and 
Seuntcermeasure. 


Threat. Any circumstance or event with the potential 
to cause harm to the ADP system or activity in the form of 
destruction, disclosure, and modification of data, or de- 
nial of service. A threat is a potential for harm. The 
presence of a threat does not mean that it will necessarily 
cause actual harm. Threats exist because of the very 
existence of the system or activity and not because of any 


specific weakness. For example, the threat of fire exists 
at all facilities, regardless of the amount of fire pro- 
tection available. (DON Definition) [Ref. 4: p. A-17] 


Vulnerability. A weakness in the physical layout, or- 
ganization, procedures, personnel, management, administra- 
tion, hardware, or software that may be exploited to cause 
harm to the ADP system or activity. The presence of a 
Vulnerability does not in itself cause harm; a vulnera- 
bility is merely a condition or set of conditions that may 
allow the ADP system or activity to be harmed by an attack 
(DON Definition) [Ref. 4: p. A-17] 


Countermeasure (Also called Safeguard). Any action, 
device, procedure, technique, or other measure that re- 
duces the vulnerability of an ADP system or activity to the 
realization of a threat. (DON Definition) [Ref. 4: pp. 
A-6] 

Particular note should be taken of the four types of pos- 
sible harm mentioned under threat--destruction, disclosure, 
Brid m@edusication of data, or denial of service. These four 


types of harm are commonly referred to as impact areas and 


are a key to the way the Navy performs risk assessment. 
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F. RISK ASSESSMENT METHODOLOGY 
As discussed earlier, risk assessment is a crucial step 

in the evaluation of an ADP security system. While OPNAVINST 
5239.1A lists the three phases of the program as (1) de- 
velopment of an activity ADP security plan, (2) risk assess- 
ment, and (3) countermeasure implementation and effectiveness 
review, it goes on further to list the six actions necessary 
to satisfy the DON requirements as: 

Step 1. Development of an Activity ADP Security Program 

(AADPSP) which includes a risk assessment plan of action 

and milestones (POAM); 

Step 2. System User and Software Development Participa- 

tion. This can be accomplished by proper selection of the 


risk assessment team. 


Step 3. Conducting the Risk Assessment. Selection of the 
proper risk assessment methodology and implementing it; 


Step 4. Countermeasure Selection. Using cost-benefit 
analysis, select and implement countermeasures until fur- 
ther implementation would produce a negative return. 
Evaluate the effectiveness of the countermeasures after 
implementation; 


Step 5. Risk Assessment Documentation. Ensure there 1s 
complete documentation for the first four steps; 


ecrewme. Proceed with accreditation processo™ [Ref. 4: 
pp. 5-1 - 5-5] 


Sees ceehnrougn 5, which eccasiondally are collectively 
called risk assessment in some Navy publications, will be 
discussed in the following sections of this chapter. Steps 
1 and 6 have already been discussed in Chapter I. Step 2 


was discussed in Section D of this chapter. 
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G. PRELIMINARY SECURITY EXAMINATION 

Before the actual risk assessment methodology is under- 
taken, a preliminary survey examination should be conducted. 
The results of this survey will help determine the scope of 
the risk assessment effort. Using this information, the 
designated approving authority (DAA) will then determine 
which of the two basic risk assessment methodologies will be 
employed [Ref. 4: p. E-1]. Included in Appendix B is a 
sample format for an ADP security survey. 

During the preliminary survey, the following four steps 
should be taken [Ref. 5: pp. 7-8]. 

lwetce ing of Asset Costs 

A determination should be made of the replacement 

cost of computers, related equipment, buildings, data, etc. 
In instances where the risk analysis is being done in the 
systems design phase, both the increased value of data in the 
complete system and the probable increase in the cost of ac- 
quiring it should be considered. Included in Appendix B is 
a partial list of assets that should be considered under the 
seven categories that must be considered in ADP security. 

Jari soeing OL Threats 

A list should be compiled of threats to the ADP fa- 

cility and its resources. This list should include any 
Wreedemtemat has a realistic probability of occurring. For 
Bxamole, a hurricane would not be a threat to an activity in 


the midwest because there is almost no chance (nor past 
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experience) of one coming that far inland. However, a 
tornado would be a realistic threat in the midwest. If the 
risk analysis is being done in the system design phase, an 
effort should be made not only to identify existing threats 
but also to predict any future ones which might result from 
the implementation or operation of the system. The following 
areas should be surveyed for threats [Ref. 5: pp. 7-8]: 

@e Personnel--hiring and termination procedures, scope and 
amount of training, quality of supervision at all 
levels; 

e Physical Environment--neighborhood, quality and relia- 
Biiiley Of utilities, building design, operation and 


maintenance, physical access controls; 


e Hardware/Software Systems--operational availability, 
change controls, software features, documentation; 


e Data Communications--hardware and transmission circuits, 
procedures to validate and control distribution of 
messages; 


@ ADP Applications--technical design, documentation, 
Standards; 


Smpesceratlons-—-Standards and procedures for source document 
Preeotection, information dissemination, 1/0 control, tape 
library, forms, computer room processing, user inter- 


face, housekeeping and maintenance, production control, 
contingency planning. 


eer scing Of Existing security Measures 
A listing of all security measures currently in ef- 
fect should be made. Next to the security measure should be 
listed the threat(s) which those security measures help to 


SOuUunteract. 
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4. Management Review 


Upon completion of the above three steps, the re- 
sults should be immediately presented to management. Using 
this information, management can install temporary safe- 
guards, if needed, until permanent countermeasures can be 
effected. Additionally, by using the information in the pre- 
liminary security survey, management can direct either of the 
two methods to be used. Method I is the standard method for 
use in most Navy ADP environments. Method II is for use in 


the less complex Navy ADP environments [Ref. 4: p. E-1] 


pee METHOD I 
1. Overview 
This method is more detailed than Method II, provides 

greater detail, and provides for the interaction of threats 
and the evaluation of threats by impact areas. The major 
steps to Method I are: 

ipeeensset Edentification and Valuation, 

2. Threat and Vulnerability Evaluation, 


3. Computation of the Annual Loss Expectancy (ALE), 


4. Evaluation and Selection of Additional Countermeasures, 
and 
peumeGonmcinue Accreditation Process [|Ref. 4: pp. E-2 and 
E-3]. 
2. Detailed Procedures 


a. Asset Identification and Valuation 
For each asset, fill out a copy of the Asset 


Valuation Worksheet (Appendix B). When trying to determine 
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how to differentiate between assets it is helpful to break 
them down into seven basic categories: 

@® Software; 

@ Data; 

@e Hardware; 

@® Administrative; 

@® Physical; 

@e Personnel; 

@® Communication. 

Guidance concerned with breaking assets down into 
component parts is given in the following passage. "For each 
asset defined, all components should be in the same physical 
area, protected in the same manner and subject to damage by 
the same threat. If one component of the asset is damaged 
either all other components should be highly likely to be 
damaged in a similar manner, or the entire asset should be 
rendered unusable" [{Ref. 4: p. E-4]. The four impacts a 
threat can have are discussed below. 

(tf) oeMOditteation.  ~TNis is.8an Unauthorized 
change. When determining a value for the modification of 
software or data, the value should be based on the cost to 
correct the consequences of the modification. Or the value 
could be based on the cost of locating or recovering from 
the modification. The value of hardware, administrative, 
Biysical, Or communication assets should be the total cost to 


@etect, locate, and correct the modifications. 
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(2) Destruction. This involves the loss of the 
asset. Two costs should be totaled to obtain this value. 
They are the cost to reconstruct or replace the asset and 
the costs incurred by the denial of service due to the de- 
struction of the asset. Included in the costs to reconstruct 
should be appropriate labor charges. 

(3) Disclosure. This pertains to the unauthor- 
ized release of information to people without the need to 
know. Classified and Privacy Act data have been assigned a 


recommended impact value for the effects of disclosure. 


TABLE 1 


GUIDELINES FOR IMPACT OF DISCLOSURE OF SENSITIVE DATA* 


POR OFFICIAL USE ONLY Sil, UO 
Privacy Act or 

CONFIDENTIAL SO) OOo) 
SECRET S00 000 
TOP SECRET i006 70.00 


*These values are provided for determining the impact of 
Gisclosure of sensitive data. For example, the impact of 
disclosure of a SECRET data file is assigned a value of 
$100,000, which corresponds to an impact value rating of 5. 
These values are only guidelines. The impact of disclosure 
of classified data, Privacy Act data, and all other data is 
up to the judgement of the functional user. [Ref. 4: bp. 
E-44] 


(4) Denial of Service. This is where users are 
denied service although there has been no destruction of any 


assets. An example would be a power outage. In cases of 
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denial of service, asset impact values should be based on 
additional costs incurred and penalties assessed due to de- 
lays in job completion. 

After determining the estimated dollar loss 
for each of the four impact areas, determine the impact 
value ratings from the table in section H.2.c of this 
Chapter and enter them in the appropriate boxes at the bottom 
of the asset valuation worksheet. 

b. Threat and Vulnerability Evaluation 
In this step the asset valuation worksheets pre- 
pared in the previous step are examined and a determination 
is made as to which threat(s) could cause the impacts indi- 
cated. Upon identification of a threat, a threat and vul- 
nerability evaluation worksheet (Appendix B) is completed in 
the following manner: 

e The threat is listed by name; 

e The threat is described in general terms; 

e Examples of how the threat can exploit current vulnera- 
bilities in the ADP environment are cited. Additionally, 
existing countermeasures to the threat are listed; 

® Using the threats and their impact table from Appendix 
Bas a general guideline, an evaluation is made of which 
of the four impact areas could be affected by the 
Emugeat > 

e After estimating the frequency of a successful attack 
for each impact area, use the following figure to de- 
termine the ratings to enter in the applicable boxes at 
the bottom of the threat and vulnerability evaluation 
worksheet. On the same form, describe the circumstances 
and vulnerabilities of the ADP activity which permit the 


threat to exist and document how the frequency of suc- 
cessful attack was estimated. 
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c. Computation of Annual Loss Expectancy (ALE) 


The annual loss expectancy 


(Or Gxeosure) = 2s Sim 


ply a valuation of the average yearly dollar loss to the ac- 


tivity caused by attacks against its assets. To calculate 


the ALE, simply take the product of the dollar value loss of 


a successful attack by a threat and the frequency of occur- 


rence of the threat. 


The following formula can be used to 


compute the annual loss expectancy. 


(pee ches ) 
ALE = me 
3 
where £f = frequency of a successful attack by a threat 


i = estimated cost impact of a successful attack 


(Ref. 5: 


p. 10] 


f and i are determined from the following table. 


TABLE. £1 
TABLES FOR SELECTING OF VALUES OF i AND f [Ref. 5: p. 10] 


If the estimated cost impact of 


$10, 

$100, 

$1,000, 
$10,000, 

SIO 000 
$1,000,000, 
$10,000,000, 
$100,000,000, 


let 
let 
let 
let 
let 
let 
let 
let 


Oe oe Oe oe ee ee 


the event is 


Onn UO & WN ee 


If the estimated frequency of occurrence 1s 


Once 
Once 
Once 
Once 
Once 
Once 


in 300 years, 
in 30 years, 
in 3 years, 
in 100 days, 
in 10 days, 
per day, 


10 times per day, 
100 times per day, 
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let 
let 
let 
let 
let 
let 
let 


Hh Fh FheFh Fh Fh fh mh 


On~IAM & WN e- 
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To simplify calculations, these arguments can 


be used to enter the following matrix and determine the an- 


nual loss expectancy. 


PREGURE fit 


COMBINED MATRIX OF i, f AND ALE 


69) 

1 #9] dp) 

co Se ) mat #9) 

Oo A 0) eS em ise ~ 

mm Oo Am co Ae 8) 

Ae) ~ OQ PS Be: > 

ce ae) m~ @ > a9} A 

Se = ut es | a © 1 | ~ 90 | 

7 a co on] = =~ 99) = | 
SS = << Wi S| 

Ga °@ a © oS G = eB) hed 
“+ © = a 4} © ord ond ra M4 eB) 
ie = a e8 Ou. 
Qe Qe Qe eB) wy eb) ey 
Oo! Oo“ uo oO o) o) ce 
G G q = = = SS © 
-] © © oS © 2 coat a 

— 
7 1 2 3 4 5 6 7 8 
i 
S10 S300) $3 5000 $300k 


$300 $3,000 $30k $300k $3M 
$1,000 $300 $3,000 $30k $300k $3M $30M 
$10,000 $300 $3,000 $30k $300K $3M $30M 


I 

$100 2 
g) 
4 

$100,000 5 $300 $3,000 $30k $300k $3M $30MS$300M 
6 
7 
8 


$1,000,000 $3 ,000 $30k $300k S3M $30M $300M 
$10,000,000 $30k $300k S3M $30M $300M 
$100,000, 000 $300k S3M $30M $300M 


fot. Pp. 11) 


As can be seen, calculation of the ALE is relatively simple. 
Problems arise, however, because one threat may have differ- 
ent impacts on a number of assets. To help simplify the data 
and arrange it for easier analysis, ALE computation work- 


Sheets are used. For each of the four impact areas, a 
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separate ALE computation worksheet is made out by completing 
the following steps: 


e Identify the impact areas for which the ALE is being 
computed by marking the appropriate box; 


e List the assets and asset impact value ratings (taken 
from the asset valuation form) across the top of the 
ALE computation worksheet; 

e List threats and successful attack frequency (taken from 
the threat and vulnerability worksheets) down the left 
Side of the ALE computation worksheet; 

e Use the above annual loss expectancy matrix to obtain 
an ALE for each asset/threat intersection. Enter this 
ALE; 

e Sum the asset columns down and the threat rows across. 
Ensure total threat and asset values are equal and enter 
mide tLOtal in box 8. 

Upon completion of the ALE computation worksheet 
for each of the four impact areas, add their totals to derive 
the activities’ total ALE. 

ad. Evaluation of Additional Countermeasures 

In the evaluation of countermeasures a cost bene- 
fit model is used. The cost of installation and implementa- 
tion of the countermeasures must be less than the decrease in 
the ALE due to the reduced vulnerabilities. The following 
steps should be performed to accomplish this evaluation. 

Take the completed computation worksheet and lo- 
cate those threats with the highest values for individual 
threat ALE~-the largest values in the far right column. 


Starting with the threats with the highest ALE, 


identify countermeasures which might be able to substantially 
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reduce the vulnerabilities which these threats seek to ex- 
ploit. (Note: Appendix F of OPNAVINST 5239.1A provides a 
partial list of countermeasures listed by category.) 

For each countermeasure offering a substantial 
reduction in vulnerability, prepare an additional counter- 
measures evaluation worksheet (Appendix B) by doing the fol- 
lowing steps: 


I. Enter countermeasure name in section 2 and description 
of countermeasure in section 3; 


2. Estimate the annual cost of implementing the counter- 
measure. In instances where there is a one-time cost 
only, divide that cost by the anticipated life (in 
years) of the countermeasure. Enter in Section 2; 


3. Identify the vulnerabilities that the countermeasure 
would reduce if implemented. Determine which threats 
would be reduced because of the lower vulnerability. 
Enter these in column form in section 4; 


4. Take the current ALE for each threat off of the ALE 
computation worksheet and enter in section 5a next to 
the appropriate threat. This value should be the sum 
of the ALEs for all four impact areas of the threat 
being examined; 


5. Using new ALE computation worksheets determine and 
enter new successful attack frequency ratings for the 
threats for each impact area and calculate new ALEs. 
Sum these for all four impact areas and enter in sec- 
tien sob. 


6. Subtract the projected ALE from the current ALE and 
enter in section 6; 


7. Sum all of the AOE savings in section 6 and enter the 
eeeal 1n section, 8; 


8. Divide the total in section 8 by the sum of all the 
pEGUiEesS 1n Section 5b. “This is the expected return 
on investment (ROI) and should be entered in section 7; 


9. In section 9 list any proposed countermeasures that may 
overlap the particular countermeasure under evaluation. 
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e. Selection of Additional Countermeasures 

Now that the additional countermeasures have been 
evaluated individually, it is necessary to determine what 
effects the implementation of one countermeasure will have 
on the effects of the other countermeasures. As a starting 
point, the countermeasure with the highest ROI is assumed to 
be implemented and then the effects on the ROIs of the other 
countermeasures are calculated. To compute these effects, 
the following steps should be followed. 

(1) Sort the additional countermeasure evalua- 
tion worksheets, completed in the previous section, by de- 
scending order of ROI. List on the additional countermeasure 
summary listing (Appendix B) the original ROI, annual cost, 
Original ALE savings, and countermeasures in sections la, 2, 
3a, and 4, respectively. In section 5 make a notation if any 
of the countermeasures are required by higher authority. 

(2) Assume the first countermeasure 1s in effect 
and reevaluate the effects of the next countermeasure based 
on this assumption. Adjust the ALE Savings and ROI as neces- 
Sary. These figures should be entered in sections 3b and 1b. 
If the adjusted ROI of the second countermeasure is still 
greater than the ROI of the third countermeasure, assume that 
both the first and second countermeasures are in effect and 
reevaluate the effects and ROI of the third countermeasure. 
If the adjusted ROI of the second countermeasure is not 


higher than the ROI of the third countermeasure, evaluate the 


50 





effects of the first countermeasure's implementation of the 
effectiveness and ROI of the third countermeasure. Compare 
the adjusted ROIs of the second and third countermeasures 
with the ROI of the fourth countermeasure. Continue in this 
Manner until one adjusted ROI is greater than all of the 
other adjusted and unadjusted ROIs. Assume this counter- 
measure is in effect and proceed to reevaluate all other 
countermeasures based on this assumption. Continue in this 
Manner, always selecting the highest adjusted ROI for imple- 
mentation, until the ROI or adjusted ROI (whichever is lower) 
is less than 1 for all remaining countermeasures. At this 
point a negative return is being obtained for each additional 
countermeasure. Since the countermeasures are now costing 
more to install and implement than they are accomplishing in 
risk reduction, it is not advisable to install any of them. 
The one exception to this would be those countermeasures that 
are required by higher authority. All countermeasures that 
fit into this category should be assigned the highest possi- 
ble priority regardless of ROI. 

(3) A plan of action and milestones for imple- 
menting the selected countermeasures should be developed. 
Using available funds, all countermeasures that have been 
made mandatory by higher headquarters or that have an ad- 
justed ROI greater than 1 should be implemented. For all 
unfunded countermeasures with an ROI greater than 1, addition- 


al funds should be sought through normal budget channels. 
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(4) After reviewing the docteentaticn generated 
during the risk assessment overview, the Designated Approv- 
ing Authority (DAA) will either grant accreditation, issue 
an interim authority to operate, or order operations to 


cease. [Ref. 4: p. 3-1] 


fm METHOD IT 

This method incorporates the same essential steps as 
Method I, but it does not go into as great a detail nor does 
it provide for interaction in the impact areas. Therefore, 
its use is limited to less complex ADP environments. The 
following procedures should be followed when using Method II. 

1. Asset Identification and Valuation 

Assets are identified and evaluated in the same man- 

ner as in Method I, but the information is entered on a risk 
assessment matrix (Appendix B) instead of an asset evaluation 
worksheet. 


2. Threat and Vulnerability Evaluation and ALE 
Computation 


To complete this step: 


e List the threat by name on the left side of the risk 
assessment matrix; 


e Assign a threat value of low, medium, or high by the 
guidelines set forth in Table IV. Enter this value in 
the space marked ‘'TV'; 


e To compute the ALE, multiply the asset value by the mul- 
tiplier corresponding to the threat value (determined in 
previous step). Enter this value in the risk assessment 
Matrix; 


® Sum the rows across and the columns down and record this 
Erore On the form. 
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TABLE IV 


THREAT VALUES 


Threat Value Glos 146 Lakers 
Low (L) Oe) 
Moderate (M) Onses 
High (H) ae 


Petinitions: 


LOW--The risk of a given threat to a specific asset is as- 
sessed as having little or no significant impact on that as- 
meee asea GeSult of destruction, modification, or disclosure 


of data, or denial of service. This assessment is made when 
the threat 1s considered to be: (1) very unlikely to occur; 
(2) not applicable; (3) to have low impact on that asset if 


Mmeeaoes occur; or (4) the threat is controlled by existing 
feuncermeasures. 


MODERATE--The risk of a given threat to a specific asset is 
assessed as having a moderate impact on that asset as a re- 
wabc OF Gestruction, modification, or disclosure of data, or 
denial of service. 

HIGH--The risk of a given threat to a specific asset is as- 
sessed as having a very significant impact on that asset as 
a result of destruction, modification, or disclosure of data, 
or denial of service. This assessment is made when the 
threat is considered to have a reasonable likelihood of oc- 
Currence and, if it occurs, the impact to that asset would 
be Significant. [Ref. 4: p. E-4] 


3. Selection of Additional Countermeasures 
Method II also uses a cost benefit model for deter- 
mining which countermeasures should be installed. The one 
Peldewmoar this model is that all vulnerabilities are treated 
as if they are mutually exclusive. It does not account for 
the fact that one countermeasure may help to reduce a vul- 


nerability and therefore lower the ROI for another 
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countermeasure. To determine the countermeasures to employ, 
complete the following steps. 

Identify the threats that have the most potential 
for damage based upon their ALEs and then determine counter- 
measures which have the most promise of substantially re- 
ducing the vulnerabilities which these threats seek to 
exploit. Enter these countermeasures in column A of the 
additional countermeasure selection worksheet in Appendix B. 

List the threats acted on by the countermeasure in 
column B with the original ALE for each threat in column C. 

Assign a new threat value with the assumption that 
the countermeasure has been installed. Use this to compute 
a new ALE which is then entered in coiumn D. 

Subtract the revised ALE from the original ALE and 
enter in column E. This is the annual savings. 

Estimate the annual cost for installing and maintain- 
ing the countermeasure. Any one-time cost should be amor- 
tized over the useful life of the countermeasure. Enter this 
Sost Imecolumn F. 

Divide column E by column F to obtain the ROI which 
1s entered in column G. 

Assign countermeasure priorities based on mandatory 
requirements by higher authority and by descending order of 
BOT. 

Implement all countermeasures with an ROI greater 


than 1 or those made mandatory by higher authority. If 
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sufficient funds are not available, request more in the bud- 
get cycle. 

The Designated Approving Authority (DAA), using the 
documentation generated, will grant accreditation, issue 


interim authority to operate, or order operations to cease. 


we RISK ASSESSMENT DOCUMENTATION 
Copies of the risk assessment documentation will be main- 
tained to support the budget requests, help document the 
activity ADP security plan, and provide references for future 
risk assessment documentation. It is important to note that 
all reports, worksheets, and other documentation pertaining 
to risk analysis are highly sensitive and should be marked 
and stored as such. [Ref. 5: p. 15] 
Frequency of risk assessment documentation will be kept 
updated and repeated: 
a. At least every five years. 
b. When any change is made to the facility, ADP equipment, 
system software, or application software which affects 


the overall ADP security posture. 


c. When any change is made in operational configuration, 
data sensitivity, or classification level. 


ad. When any change is made which appears to invalidate the 


Oeiginal conditions of accreditation. PRE es 45 tn 
E-17] 


K. OTHER CONSIDERATIONS 


ienceuracy Of Galcwlat rons 


Because there are so many variables in determining 


the frequency and impact of threats, calculations are 
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usually rounded off to the nearest factor of 10. When try- 
ing to dollarize the impact or calculate the frequency of 
occurrence, it 1s up to the team to use a combination of his- 
torical data, their knowledge of the system and their own 
expertise and judgment. A lot of time should not be wasted 
trying to make calculations down to the nearest dollar. As 
1s pointed out in FIPS Pub 65, "There will be no significant 
difference in the overall exposure whether the damage from a 
certain event is estimated at $110,000 or $145,000" [Ref. 5: 
ee o|. 
2. Human Frailty 

When determining countermeasures, do not count per- 
eeialeimcegqrity as a factor contributing to security. Indi- 
viduals are under different pressures, both financial and 
emotional, at different times and therefore their resistance 
to temptation may be weakened [Ref. 5: p. 14]. Donn B. 
Parker points out several generalized conclusions about com- 
puter crime: 


@® Employers are more likely to be defrauded by their own 
employees than by outsiders; 


e Generally, employees who defraud their employer do so by 
using resources to which they have access in their jobs; 


® The best way to curtail white collar crime is to remove 
Opportunity and incentives; 


e The second best deterrent is the fear of getting caught. 
em. oc: ip. 7] 
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See ectelonal Information 
More detailed information concerning risk analysis 
can be obtained from FIPS Pub 41, which deals with computer 
security guidelines for implementing the Privacy Act, and 
from FIPS Pub 65, which is a guideline for ADP risk analysis 
in the federal government. It should be noted that OPNAVINST 
5239.1A is based on the latter reference. Additionally, FIPS 


Pub 65 contains an example of a risk analysis. 
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Vee evel CAL SECURITY 


Physical security is an important part of any ADP se- 
curity plan. Additionally, it has been made a mandatory part 
of all ADP security plans, as indicated by the following 
quote: "The ADP activity or network will be externally pro- 
tected against unauthorized access to entry points, access 
to data, or damage to the activity" [Ref. 4: p. 1-2]. Phy- 
Sical security is defined as follows: 

Physical Security 1s the protection of a material entity 
tenee-r ey) from disruption of its safe and secure state 

and 1S concerned with physical measures designed to safe- 
guard personnel, to prevent unauthorized access to equip- 
ment, facilities, material, and documents, and to safeguard 


them against espionage, sabotage, damage, and theft. 


a. The use of locks, badges, and similar measures to 
control access to the central computer facility. 


b. The measures required for the protection of the 
structures housing the central computer facility from 
damage by accident, fire, environmental hazards, loss 
of utilities, and unauthorized access. (DON) [Ref. 
eee. A-14} 

During the assessment of the need for physical security 
controls, the risk assessment principles of Chapter IV should 
be used. When determining whether to implement physical se- 
curity controls, except those controls required by higher 
PuEnominy, calculations should be performed to determine if 


the annual cost of the proposed control is less expensive 


than the reduction in the annual loss expectancy achieved. 


58 





There would be no reason to implement a non-mandatory con- 


mecOl that Cost more than 1t could save. 


A. THREATS AND VULNERABILITIES 
As indicated in the preceding definition, physical se- 

curity measures are installed to lessen the risk of damage 
from unauthorized access, accidents, fire and environmental 
hazards, and loss of utilities. Some of the actual physical 
threats and hazards pertaining to each of these classifica- 
tions are indicated below. 

Deliberate Intrusions 

e Theft of physical assets 

Seetiert Of information 

e Fraud 

e Internal sabotage 

e External sabotage 

e Riots 

e Strikes 

e Mischief 

e Industrial or governmental espionage 

Accidental Losses 

e Incompetence 

® Guriosity 

e Interruptions 


® Industrial accident 
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Natural or Man-made Hazards 


Fire @ Explosion 
Windstorm e Flood 
Hurricane @e Water damage 
Tornado @e Snow and ice 
Lightning @e Rain and mud 
Barthquake 


Utility Outages or Breakdowns 


Power e Water 
Communications e Steam 
Pieeconaltloning e Sewer [Ref. 9: p. 29] 


Browne also stated that an agency's susceptibility to 


physical threats may actually be increased if any of the fol- 


lowing conditions are present. 


Intense external competition, with high risk of indus- 
trial or national espionage and theft of data. 


Intense internal competition, with resultant high turn- 
Over in jobs and even reduction in employment force. 


Low employee morale, with tendency toward disgruntlement. 


Centralization of the DP workload in one data center, 
with increased exposure to a single disaster. 


Access to the central computer from physically insecure 
remote locations. In the case of dial-up accessibility, 
either the capability must be severely restricted by 
hardware/software controls, or the remote sites must be 
made physically secure. Direct access by personnel of 
other departments whose functions involve the use of the 
computer means that security controls for those depart- 
ments must be in force. 


Widespread negative visibility of the organization. 


Certain companies have been targets of antiwar demon- 
Sstrations or environmentalist protests. Even government 
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units are susceptible to protests involving privacy, 
social responsibility, or welfare. Being a sociological 
phenomenon, this threat is quite variable over time. 


e Location of the data processing operation in a high risk 
enviornment. (Ref. 9: p. 30] 


The control measures used to implement physical security 
can be divided into four major areas. These areas are de- 
scribed in the following four sections by the threats that 
they attempt to counteract and are access, fire, utilities, 


and natural disasters. 


B. ACCESS CONTROLS 
1. Overview 

Access controls are defined as "procedures to limit 
access to sensitive areas" [Ref. 10: p. 83]. When deter- 
mining which physical access controls to employ, the optimum 
strategy is to control access at each point from the outer 
perimeter all the way down to subdividions of the ADP opera- 
tion. To implement this strategy it is convenient to con- 
sider the following four points at which access can be 
Mamited [Ref. 9: pp. 30-31). 

a. External Perimeter 

The first line of defense for a computer facility 

is usually the fence that separates the ground on which the 
computer facility is sited from the outside world. In in- 
stances where a computer operation shares a building with 
other activities, a fence at the external perimeter may not 


be possible nor desirable. The external perimeter helps 
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deter trespassing and funnels employees, visitors, and the 
peolrceeo Selected building entrances [Ref. 10: p. 48]. 
b. Building Access 
The external perimeter funnels all persons to 
the building entrances, where another screening process 
should occur. Again, as in the case of the external perime- 
ter, many times when a computer facility is colocated with 
other activities, screening at this point is limited. 
©. Area Access 
After an individual is in the building he can 
still be prevented access to the areas surrounding the data 
processing function by measures such as badges, locked 
stairwell doors, elevator restrictions, CCTV, alarmed doors, 
Signs, and guards. 
d. Computer Room Access 
If an unauthorized individual makes it through 
the first three barriers, he still has to negotiate access 
to the computer itself. Devices similar to those used to 
control area access can be implemented. Additionally, door 
locks might also be used to limit access. Even within the 
computer room, access to different functions should be 
limited--this would especially include access to the tape 
library. As a minimum, the following areas should be ana- 
lyzed to determine individuals that should be allowed access. 
® Computer room; 


e Data storage library; 
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® Input/output area; 
@® Data conversion area; 
® Programmer areas/file; 
@® Document library; 
® Communications equipment area; 
@® Computer maintenance room; 
@® Mechanical equipment room; 
@e Telephone closet; 
e Supplies storage. [Ret ml: Sores 04 
Pee socedures tor Determining Necessary Access Controls 
When trying to determine which access controls best 
permit access to the facility by authorized personnel while 
denying access to others, it is helpful to think about the 
problem in the following three dimensions: 
People--Specific controls are required for different 
classes of individuals, such as management personnel, pro- 
grammers, Operators, service engineers, janitors, and 
others. 
Areas--Access points all the way from the outside perime- 
ter of the building into the computer room must be identi- 
fied and controlled; remote terminal areas also must be 
controlled. 
Time--The above two aspects must be considered in terms of 
the time of day, e.g., business hour versus non-business 
MnOuUMmmeomerols. [Ref. 9: p. 31] 
An additional consideration is that the protective 
measures should be strong enough to achieve stated goals but 
not so restrictive that they are overly expensive or cumber- 


some. Any measure so restrictive as to cause a large im- 


pediment to work flow may be thwarted by the operating 
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personnel. For example, a security door which requires com- 
plicated opening procedures may soon be left slightly ajar 
by operating personnel. As previously mentioned, to deter- 
Mine the protection measures needed, the risk assessment 
methodology outlined in Chapter IV should be employed. The 
First step in doing this is basically the preliminary se- 
curity examination. Asset costs should first be listed. 
Then, all threats that can be lessened by physical access 
controls should be listed. These threats might include 
common criminals, political activists, vandals, disgruntled 
employees, etc. After the threats are listed, all areas 
within the facility should be defined and tabulated. The 
tabulation would include a statement of the location, func- 
tion, access requirements (which people at what times), and 
criticality (contents or activities which may be targets for 
wrongdoers) for each area. Upon completion of this step, an 
assessment of the current security measures should be made by 
completing the following survey. 
Instructions for the Facility Physical Security Survey 
A. Obtain a current floor plan which depicts all areas 
within the facility to include all access points and 
any adjacent areas belonging to the facility, such as 
parking lots and storage areas. 


B. Begin the survey at the perimeter of the facility and 
note the following: 


1. Property line to include fencing, if any, and type. 
Condition, number of openings as to type and use, 
and how secured. Are there any manned posts at the 
property line. 
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Outside parking facilities. Is this area enclosed 
and are there any controls? Is the parking lot 
controlled by manned posts or are devices used? 


Perimeter of facility. Note all vehicular and 
pedestrian entrances and what controls are used, 
if any. Check all doors--number, how secured, any 
controls or devices, such as alarms or key card 
devices. Check for all ground floor or basement 
windows--how secured; screening, bars, etc., and 
vulnerability. Check for other entrances such as 
vents, manholes, etc. Are they secured and how? 
Check for fire escapes--number and location and 
accessibility to interior of facility from fire 
escape (windows, doors, roof). How are access- 
ways secured? 


Internal security. Begin at the top floor or in 
the basement. Check for fire alarm systems and 
devices noting the type, location, and number. 
Where does the alarm annunciate? Check telephone 
and electrical closets to see if they are locked. 
Are mechanical and electrical rooms locked or se- 
cured? Note any existing alarms as to type and 
number. Where do the alarms annunciate? Deter- 
mine number and location of manned posts, hours, 
and shifts. ; 


Monitoring facility. Location, who monitors, who 
responds, type, and number of alarms being 
monitored. 


The following questions should also be included ina 
physical security survey: 


i 


2s 


Is the installation/building protected by alarm 
system(s) ? 


How many zones of protection are within the pro- 
tected building? 


Is the alarm system adequate and does it provide 
the level of protection required? 


Are there any vulnerable areas, perimeter, or 
openings not covered by an alarm system? 


Is there a particular system that has a high nui- 
sance alarm rate? 
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tO. 


a. 


i. 


i. 


14. 


Loe 


eG: 


Is the alarm system inspected and tested occa- 
Sionally to insure operation? 


Is the system backed up by properly trained, alert 
protection officers who know what steps to take in 
case of an alarm? 


Is the alarm system regularly inspected for physi- 
cal and mechanical deterioration? 


Does the system have tamper-proof switches to pro- 
Bec, 1tS Aantegqrity? 


Do system(s) have environmental or protective 
housing or covers? 


Is there an alternate or separate source of power 
available for use on the system in the event of 
external power failure? 


Where is the annunciating unit located--local, 
Pomercle Stat Lom. cee? 


Who maintains the equipment and how is it main- 
tained (contract, lease equipment, force account 
personnel)? 


Is the present equipment outdated? 


Are records kept of all alarm signals received to 
include time, date, location, action taken, and 
cause of alarm? 


Are alarms generated occasionally to determine the 
sensitivity and the capabilities of systems? 
beet. 10:5 po. 46-47) 


After completion of the above steps, risk assessment 


methodology I should be employed to aid in choosing appro- 
priate countermeasures. The following four subsections con- 
tain a discussion of countermeasures currently available for 


each access point. 


External Perimeter 


There are four main methods for limiting access at 


mm] boundary of the ADP site. Each of these has certain 
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advantages and disadvantages. It may well be that a combina- 
4£1i0n of methods will be needed to provide proper security. 
[Ref. 10: pp. 47-48] 
a. Fences or Other Barriers 
These measures will provide crowd control, deter 
casual trespassers and help in controlling access to en- 
trances. Disadvantages include cost, unsightliness, in- 
ability to use in certain areas (such as around the Federal 
building) and the fact that a determined individual can pene- 
trate it. Additionally, a response force is needed to handle 
any individuals penetrating the barrier. 
b. Intrusion Detectors 
Intrusion detectors are usually infrared or 
microwave beam devices which, when interrupted by an in- 
truder, will result in an alarm sounding. They are cheaper 
than fences, but are not effective in crowd control, can be 
circumvented by a determined intruder, and are subject to 
nuisance alarms caused by unintentional trespassers or false 
alarms. Additionally, an immediate response force is re- 
quired upon the sounding of an alarm. 
eeeratrol Forces 
Patrol forces are most often used when a number 
of Federal buildings are colocated in the same area but 
eeneingeor other barriers are impractical. Patrol forces 
can provide immediate response, aid in crowd control, and 


their presence is usually a deterrent to intruders. However, 
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their cost is prohibitive and intruders can slip in while the 
force is making its rounds. 
gee ec losed-Cirecuit Television System (CCTV) 

CCTV allows an individual stationed in a command 
post to monitor a large area and is usually less expensive 
Mean a roving patrol. Additionally, it can aid in crowd con- 
trol by allowing the individual in the command post to moni- 
tor the crowd and send the reaction force to the point 
needed. Some of its disadvantages are that it is suscepti- 
ble to electrical failure unless a back-up generator is 
provided, an inattentive monitor can allow access to go un- 
noticed, and it requires a response force. 

4, Building Access 

One of the purposes of the external perimeter is the 
funneling of persons desiring access to entrance doors where 
the screening process can occur again. However, an indi- 
vidual desiring unauthorized access is more likely to try an 
unguarded door, window or other opening instead of going 
through a door where further screening is required. There- 
fore, in this section both entrance door controls and perime- 
ter intrusion controls will be discussed. 

epee entrance Door Controls 

At an entrance door, personnel can be screened 
either by a guard or by the possession of a suitable device 
to unlock the door. The guard, when following strict en- 


trance procedures, constitutes a more effective screening 
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procedure. A guard does not have to be a uniformed person. 
It may be a receptionist, clerk, or anyone else who requires 
an individual to provide identification before permitting 
entrance. One disadvantage of guards is that often they can 
be talked into allowing an individual without proper identi- 
fication entrance if that person can provide a plausible 
reason. However, guards are especially useful in preventing 
tailgating. Tailgating occurs when an intruder enters im- 
mediately after an authorized entrant. There are three basic 
methods that can be used for establishing identity for the 
purpose of admittance [Ref. ll: pp 8=12]. 

(fy) Something Knewn to an Individual. This 
refers to a combination that must be entered to obtain ac- 
cess. A disadvantage of this system is that it may be com- 
promised without people being aware of it. There are two 
imees OL Combination locks currently in use: 

Mechanical push button combination locks 
restrict entrance by allowing access to only those persons 
who press the correct combination. However, this system does 
not allow for an audit trail of who entered or the time en- 
tered. If there are a number of authorized entry points, 
eener seme combination will open every door or individuals 
may have to memorize a different combination for each door. 
This reduces the effectiveness of separating ADP functions 
by different doors and locks. Another disadvantage is that 


combinations must be changed often and personnel informed of 
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the new combination. The major advantages to the system are 
that it is relatively inexpensive and easy to implement. 

Electronic combination locks restrict en- 
trance to those persons who key in the correct combination. 
A number of models with varying capabilities can be obtained. 
These capabilities range from simple machines that allow ac- 
cess in the same manner as mechanical combination locks to 
more complicated systems where each individual has his own 
combination. Through individual combinations the system can 
lock out specified combinations, limit access to specified 
times, log all entrances and exits, and control a number of 
different doors. This overcomes most of the shortcomings of 
mechanical combination locks but it is much more expensive 
Meet. 10: p. 49] 

(2) Something Possessed by an Individual. This 
type of system allows entry to any individual that has a key. 
The advantage to this system is that only individuals with 
keys can be admitted. The main disadvantage is that anyone 
who can obtain a key can enter. There are three basic key 
and lock systems. 

Conventional key and lock sets operate as 
Simply as a regular lock on a door. Advantages are that it 
is very inexpensive. Disadvantages include the following: 
locks can be picked; keys can be duplicated; there is no 
record of who entered or exited; and materials can be taken 


by anyone possessing a key. [Ref. 10: p. 49] 
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Pick resistant lock sets have the same ad- 
vantages and disadvantages as conventional locks except that 
they are several times more expensive, the keys are harder 
to duplicate and the locks are harder to pick. [Ref. 10: 

p. 49] 

Electronic key systems consist of encoded 
cards that actuate electric doors. They can be simple or 
complex and have many of the same advantages and disadvan- 
tages of the electronic combination lock. The various types 
of electronic key systems are explained in Appendix A to FIPS 
Pub 83 [Ref. 12]. Pages 13-15 of the same reference detail 
considerations for badge formatting, preparation, and 
updating. 

(3) Something about an Individual. There are a 
number of features peculiar to each individual that can be 
used for identification. Those items currently being used or 
considered are faces, Signatures, fingerprints, hand geome- 
try, voiceprints, ear features, dental characteristics, 
Peints £rom the bottom of the feet and patterns on the 
retina of the eye. Of these, only face (appearance), signa- 
ture, fingerprints, hand geometry and voiceprints are prom- 
ising as convenient identification techniques at this time 
[Ref. ll: pp. 10-12]. Appearance would usually be checked 
Eve ad Guard, either in person or through CCTV, who would com- 
pare the face of the individual seeking admission to a file 


picture or identification card. The other devices that use 
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physiological attributes for identification usually operate 
in the following manner. 

e The individual seeking entrance identifies himself by 
keying his name or inserting a magnetic card with this 
intobmat lon 7ONpad.t.. 

e The device then pulls from memory a reference profile 
of the attribute of that individual who is seeking 
access. 

e The measured profile of the applicant is compared to the 
reference profile and the degree of correlation is 
obtained. 

e The degree of correlation 1S compared to a preset 
threshold and a decision to accept (allow entrance) or 
reject (deny entrance) is made. [Ref. 11: pp. 12-13] 

The advantages of this system is that it is 
flexible enough to allow entrance at selected doors and 
during certain time intervals, and it 1s not necessary to 
remember combinations for doors. Even if a key is stolen 
and/or duplicated, entrance should be denied. Also a single 
Guard can regulate entry at a number of different entrances 
by CCTV and remote control. Disadvantages are that it 1s 
both expensive and time-consuming. During shift changes de- 
lays could be encountered as individuals try to enter the 
working area [Ref. 10: p. 49]. Another disadvantage is 
that the accept and reject criteria are complementary. If 
the accept criteria (degree of correlation) is established 
at a high enough level to minimize the probability of ac- 
cepting an imposter (Type II error), the system will reject 


a high number of authorized individuals (Type I error). How- 


ever, if the criterion is lowered to reduce the number of 
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iggpe iverrors, a larger number of unauthorized persons will 


be allowed access [Ref. 


criteria to 


ieee 13 | % 
An excellent discussion of the evaluation 


be considered when selecting a personal identi- 


fication system 1S contained in Reference 11. 


ove 


Perimeter Intrusion Controls 


All possible entry points of the building--win- 


dows, transformer vaults, air conditioning louvres, roof 


hatches, etc.--should be physically secured or have an in- 


trusion alarm installed. 


met are not 
metal bars, 
devices are 
Ee megate a 
tion should 
Examples of 
pe. 49-50). 
1s attached 


broken, the 


Physical security devices include, 
limited to, break resistant glass or plastic, 
and screens. In areas where physical security 
impractical or where an intruder would be able 
physical security device unobserved, considera- 
be given to installing special intrusion sensors. 
[Ref. 


common sensors are discussed below 10: 


(1) Window Foil. This is a metallic tape that 


to glass doors and windows. When the glass is 


foil breaks and an alarm sounds. A disadvantage 


pec oPoemetnoa 15 that a scratch in the foil will also ac- 


tuate the alarm. 


screen works on the same principle as window foil. 


wires are laced across door panes, 


(2) 


Wire Lacing and Screen. Wire lacing and 


Fine 


floors, walls and 
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ceilings. Forced entry through the wire will break a strand 
mma set orf an alarm. 

(3) Taut Wires. This method is designed to 
protect internal openings from intruders. A fine strand of 
wire is strung across internal openings, such as air ducts 
or utility tunnels, and then tension is applied to the wire. 
Any change in tension will set off an alarm. 

(4) Intrusion Switch. This can be either a mag- 
netic or mechanical device used to protect doors, windows, 
skylights, and other accessible openings. These devices can 


be recessed to avoid detection and thus are harder to thwart. 


» 


(5) Average Penetration Times. Besides trying 


to control entrance through already existing openings, con- 
Sideration should be given to the probability that a deter- 
mined intruder would be willing to go through a wall. 


average time needed to go through walls are indicated below: 


Penetration 

Wall Construction Tools Used Time 
x4" studs with 1” Hand brace and 1.55 minutes 
Siding both sides electric sabre saw 
8" cinder block wall Sledgehammer ioe MINUces * 
Seaecinder block wall Sledgehammer 2. An Manes * 
with brick veneer on 
one side 
Beas reinforced Rotohammer drill 5.44 minutes* 
concrete and sledgehammer 
8" reinforced Rotohammer drill 10 minutes 
concrete and sledgehammer approx. * 


*Add approximately 1 minute for each reinforcing rod 
encountered. eet ee O02 1) p-5 550) 
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It should be noted that all of these methods 
are extremely noisy and an attentive security force strate- 
gically placed should be able to hear the intruder(s) at- 
tempting to gain entry. 

5. Area Access 

Area access control methods are the same as those 
measures used to control building access. These methods are 
designed to control access to the area surrounding the data 
pmocessimg function. {Ref. 9: p. 31] 

See conpucer Room Access 

Within the computer center, access to a number of 
areas should be restricted to all personnel except those 
needing access for the performance of their duties. The 
areas previously mentioned in Section B.1.d should be ana- 
lyzed to determine which personnel should be authorized 
access. Most of the devices and systems discussed in 
Section B.4 under the topic of "Building Access" can be used 
to control access to different areas within the computer 
center. Additionally, a number of detection devices can be 
used with the computer center to determine access to or oc- 
Ccupancy of critical areas during periods when they should 
be vacant. Two of these items--CCTV and intrusion switches-- 
have already been discussed. Instead of use as a detection 
device, CCTVs are best used to determine if an intruder is 


present after an alarm system has registered [Ref. 10: bp. 
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51). The rest of the detection systems can be divided into 
the following four classifications. 
a. Photometric Systems 

These systems detect a change in the level of 
light in the area which can be caused by an additional 
lighting source or the absorption of existing light. These 
systems can only be used in windowless areas or where win- 
dows have been covered. 

b. Motion Detection Systems 

There are three types of these systems, all of 
which work on the Doppler effect. Waves (sound, ultrasonic 
Or microwave) are emitted and receivers monitor them. When 
an intruder enters, the frequency changes and sets off an 
alarm. 

(1) Sound. These systems operate in the audi- 
ble range and at a high decibel which makes it annoying to 
most humans. 

(2) Ultrasonic. These systems operate at a 
high frequency which is inaudible to most humans, but other- 


wise 1s identical to the sound system. 


(3) Microwave. This system 1s similar to the 
above two systems. The major differences are that micro- 


waves are high frequency radio waves and that by using dif- 
ferent antennae, the size of the area to be surveyed can be 
varied. Also, microwave systems can be used in conjunction 


with sound or ultrasonic systems. 
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c. Acoustical-Seismic Systems 

(1) Acoustical (Audio). This system uses micro- 
phones to listen for intrusion sounds. When an intrusion 
sound is heard the alarm is set off. Because of its sensi- 
tivity to sound it can not be used in buildings which are 
directly under an airport approach or where new construction 
is taking place. However, cancellation and discrimination 
units, which can be added to the system, help reduce nuisance 
alarms due to airplanes, thunderstorms and other similar 
noises. 

(2) Vibration (Seismic). This system is similar 
to the acoustical system except microphones are attached to 
Objects such as safes, filing cabinets, windows and walls. 
Vibration of these objects sets off an alarm. Discrimination 
equipment can be added to lower the incidence of nuisance 
alarms. 

d. Proximity Systems 

This classification includes a number of systems 
that detect the approach of a person or object. Basically, 
this is accomplished by the creation of an electric field 
which, when broken, causes an alarm to be sounded. The 
proximity system is easily disturbed by mops, pails, or 
fluctuations in electric current and therefore is subject to 
numerous nuisance alarms. Because of this, it is usually 
used in conjunction with other systems instead of as a pri- 


mary system. 


oa 





/ ~eeiemaatomy ACCessyControls 
The following access controls are mandatory in ac- 
cordance with Reference 4. 


ale Level III Data Access Controls 


The controls necessary for protection of all 


Level III data are: 


Physical Protection. Activities will provide physical 
security for their ADP facilities. The degree of physical 
security required will vary depending on the physical 
characteristics of each location, its vulnerability within 
the ADP environment, and the level of data being processed. 
A minimum physical security program will address the four 
basic considerations below. For further guidance and as- 
Sistance refer to OPNAVINST 5510.45B (NOTAL). 


(1) Physical security protection will be provided by 
implementing a series of physical barriers and pro- 
cedures, including continual surveillance of the 
controlled area. 

(2) Physical access controls will be implemented to 
prevent unauthorized entry into the central computer 
facility and remote terminal areas. 

(3) Physical access to data files and media libraries 
will be restricted to individuals requiring access 
eOupemrormeotficial duties. [Ref. 4: p. J-3] 

b. Level II Data Access Controls 
The controls necessary for processing Level II 
data include those from the preceding paragraph and all of 
the following: 
a. Central Computer Facility 
(1) Physical security requirements for the central 
computer facility area will be commensurate with 
the highest level and type of data being handled. 
(2) If two or more ADP systems are located in the same 


controlled area, the equipment comprising each 
system may be located so that direct personnel 
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access, if appropriate, will be limited to a 
specific system. 


b. Remote Terminal Areas 


(1) While the physical and personnel security require- 
ments for the central computer facility area are 
based upon the overall requirements of the total 
ADP activity, remote terminal area requirements 
will be based upon the highest level and type of 
data which will be accessed through the terminal. 


(2) When a peripheral or remote device is to be con- 
nected to an ADP system or network processing 
Level I or II data and is to be operated or used 
by personnel of an activity that is not responsi- 
ble for the security of the host ADP system or 
network, the security measures for the peripheral 
Or remote device and its controlled area will be 
prescribed by the activity responsible for the 
security of the host ADP system or network whether 
or not the peripheral or remote device is approved 
for handling Level I, II, or III data. Such se- 
curity measures will be agreed to, formally docu- 
mented, and implemented before the peripheral or 
remote device is connected to the ADP system or 


network. 
c. Adjustment of Area Controls 
(1) When appropriate, provision will be made to permit 


adjustment of area controls to the protection re- 
quired for the level and type of data actually 
being handled in the ADP system, except that the 
central computer facility and those components ap- 
proved for the storage and processing of classi- 
fied material will not be downgraded below the 
level required to protect secure communications 
equipment, to maintain the reliability and se- 
curity of the ADP system, and to protect essen- 
tial hardware or software components of the ADP 
system. (Ref. 4: pp. J-4 - J=-5] 


Cee © ERESCONTROLS 
"According to the literature, the biggest threat univer- 
sally faced by computer facilities is fire. The 1959 Penta-~ 


gon fire, for example, destroyed $6.7 million worth of 
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equipment and over 7,000 reels of magnetic tape" [Ref. 9: 
pees) seene threat 15 twotold to the computer facility, 
either or both of the computer and building are susceptible 
Peefieo one Design Manual: Fire Protection Engineering 
(NAVFAC DM-8) prescribes design criteria for fire protection 
engineering applicable to Naval shore facilities. The 
Standard Practice for the Fire Protection of Essential Elec- 
tronic EGuipment Operations (RP-1), published by the U.S. 
Department of Commerce National Fire Prevention and Control 
Administration, provides guidance to reduce damage caused by 
fires to computer equipment. This section is based primarily 
on RP-1, FIPS Pub 31, and those portions of NAVFAC DM-8 that 
are applicable to electronic equipment and systems. Those 
portions of the references dealing strictly with the building 
will not be repeated here. 
1. Overview 

Fite Security is more than just trying to prevent 
fires from occurring. It includes the measures to detect 
and extinguish fires before serious damage can occur. When 
planning fire security the following elements should be 
micluded: } 


e Location, design, construction and maintenance of the 
ADP facility to minimize the exposure to fire damace. 


@® Measures to insure prompt detection of and response to 
a fire emergency. 


e Provision of adequate means to extinguish fires and for 
quick human intervention. 
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® Provision of adequate means and personnel to limit 
damage and effect prompt recovery. [Ref. 10: pp. 15- 
16] 


Pcie ee Lce Exposure 
When determining which fire controls should be in- 
stalled, it is necessary to know the susceptibility of the 
facility to fire. This is known as the facility fire ex- 
posure and is based on the following five variables. fRef. 
mO= pp. 16-17) 
ae eo CCUPaANCY 
Occupancy refers to the type of organization in 
the building. For instance, facilities housing organizations 
that process textiles, chemicals, or paints are much more 
Susceptible to fires. Therefore, the probability of a fire 
occurring is usually directly related to the facility 
occupancy. 
be Fuel Load 
Fuel load relates to the probable severity of 
the fire based on the contents of the building and 1s a mea- 
sure of the material burning capability expressed in equiva- 
lent units of wood. This is due to the fact that different 
materials burn for different lengths of time and at different 
intensities based upon this fuel load. The following table 
indicates fire severity based upon fuel load. 
For typical offices with metal furniture and 
storage cabinets the fuel load will range from 5 to 15 lbs 


per square foot. Storage rooms with paper forms and boxed 
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TABLE V 


PERE SEVERITY BASED UPON FUEL. LOAD 
Peet. ede, p. Lo] 


Fuel Loading Potential Heat 
(Equivalent pounds Release (Kilo- Fire Severity 

of wood per calories per square (duiga Et lene in 
square foot) centimeter) hours) 

> al 0.5 

10 Ze 1 

20 48 2 

30 65 5 

50 110 6 

70 152 2 


punch cards, or a magnetic tape library will have fuel loads 
ee 50 to 80 lbs per Square foot. 
c. Construction Type 

Construction types affect both the intensity and 
duration of the fire and relate to the facility's resistance 
to structural damage. The five basic types of construction 
are given in order of preferability. 

(1) Fire Resistive. In this type of construc- 
tion the structure of the building is made of noncombustible 
materials which are further insulated to protect against loss 
of strength due to a fire. 

(2) Heavy timber. EXterior walls’ are noncom=- 
bustible while columns and beams are heavy timber. Since 
heavy timber burns slowly it is superior in performance to 


noncombustible. 
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(3) Noncombustible. The structure is noncom- 
bustible but is not protected from the effects of heat. 

While the building materials will not provide fuel for the 
fire, the heat from the fire may collapse the structure. 

(4) Ordinary Construction. Similar to heavy 
timber except smaller. The lumber is of smaller proportions 
and therefore will burn more readily. 

(5) Wood Frame. This is normal residential con- 
struction using 2" boards for the framework and 1" boards for 
the sides. This type of facility catches fire readily and is 
easily destroyed. 

d. Construction Details 

A number of structural details may be in use in 
the building which will help retard the spread of a fire. 

(1) Fire Walls. These help to divide a struc- 
ture into separate buildings when calculating fire 
susceptibility. 

(2) Fire Rated Partitions. Fire rated parti- 
tions are designed to retard the spread of a fire within a 
Bua id ing. 

(eypeeeire Raced Stalnwells  pdlpcro Or Shutters. 
These items will help to stop fire and smoke from spreading 
fon ceom cO room and Cloor to floor. 

fy = Use Ot Low Flame Spread Materials. =tfhese 
materials will help keep the fire from spreading rapidly 


within the facility. 
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e. Operation of Building 
Improper storage of flammable materials and the 
accumulation of debris, trash or paper allow fire a greater 
Opportunity to occur and spread. Efforts should be made to 
keep the building well policed. 
3. Fire Detection 

In spite of all efforts to limit a facility's sus- 
@Peptibility to fire, there is still the possibility of a 
fire occurring. It is therefore imperative to have a fire 
detection system that will allow the fire to be controlled 
before serious damage is done. Most fires go through three 
stages--ignition (which is often marked by smoldering), the 
open flame stage, where the fire 1s spread by direct flame 
contact only, and finally to the flammable gas stage, which 
occurs when the air is hot enough to cause adjacent combusti- 
ble materials to give off flammable gases. The third stage 
is marked by rapid spreading of the fire and the ignition of 
nearby materials due to heat radiation. Since it is best to 
discover and treat the fire before it reaches the third 
Stage, fire detection equipment that works on the principle 
of raised is temperature is not recommended [Ref. 10: pp. 
17-18]. In fact, RP-1l makes automatic smoke detection sys- 
tems meeting the requirements of NFPA No. 72E, Automatic 
Fire Detectors, mandatory for equipment, record storage, and 


raised floor areas [Ref. 13: p. 30]. In order to design an 
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effective detection system, the following items should be 
considered [Ref. 10: p. 18] 
a. Location and Spacing of Smoke Detectors 
As mentioned before, smoke detectors are manda- 
tory in all equipment, record storage and raised floor areas. 
Consideration should be given to any other potential fire 
sites including air conditioning ducts and above hung ceil- 
ings. When locating smoke detectors, take into consideration 
the direction and velocity of air flow and the presence of 
areas with stagnant air. 
b. Detection Control Panel 
The design of the detection control panel should 
facilitate the identification of the detector that has 
sounded. This could be accomplished by a separate light for 
each area or smoke detector on the control panel. Additional 
considerations include a secure system that will actuate a 
trouble alarm if any part of the system fails or in the 
event of a power outage and prevention of human deactivation 
of the system. Several fires in computer facilities appear 
to have been deliberately set and the fire detection system 
was deactivated prior to the start of the fire [Ref. 10: p. 
eS). 
c. Human Response 
Meaningful human response to the alarm is neces- 
sary to determine if there is an actual fire, take steps to 


control/extinguish it, and evacuate the building. Therefore, 
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there should be provisions for monitoring of the alarm sys- 
tem by someone from the ADP facility or guard force. Addi- 
tionally, the detector system must be connected to an alarm 
which will sound locally and also relay the alarm automatic- 
ally to the local fire department or to an approved central 
station supervisory service [Ref. 13: p. 25]. Standard 
Operating Procedures (SOP) should be written which designate 
functions, and those personnel to perform them, during a 
fire alarm. 

d. Maintenance of System 

Smoke detectors are very sensitive and can be ac- 
tivated by dust or other foreign agents. As a result, the 
sensitivity of the system is often reduced to limit the 
nuisance alarms. This may result in delayed detection of an 
actual fire. It 1s important that smoke detectors be ser- 
viced annually by qualified personnel to ensure they are set 
to the proper sensitivity level and that they are operating 
satisfactorily. Any system that 1s not working properly 
should be corrected immediately. 
4. Fire Extinguishment Methods 

After the detection of the fire, 1t is important that 
it be extinguished guickly to minimize damage. This section 
contains a discussion of the types of fire-fighting equipment 
available. There are five basic methods for fire extinguish- 


ment available to a computer facility. They are as follows. 
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a. Portable Extinguishers 
Portable or hand extinguishers can be used by 
agency personnel to control the fire before it gets out of 
fmd. i {Ref. 10: p. 18] 
b. Automatic Sprinkler Systems 
Automatic sprinkler systems can be used to auto- 
matically release water from one or more sprinkler heads when 
the air temperature reaches the design temperature of the 
head. Heads can be designed to release water anywhere from 
imo «€6tom280°F (Ref. 10: p. 19]. Since the sprinkler head 
works on the principle of heated air, it is mainly a back-up 
system which is designed to prevent major damage to an ADP 
installation. Each automatic sprinkler section covering 
either electronic equipment or record storage areas must in- 
clude a water flow alarm which will sound locally and shall 
also sound at the local fire department or at an approved 
Pemrrdmectarlon Supervisory service [Ref. 13: p. 23]. All 
automatic sprinkler equipment should be installed in accor- 
dance with NFPA No. 13, Sprinkler System. 
c. Carbon Dioxide Systems 
Sufficient carbon dioxide hose reels should be 
included to reach all ADP equipment. Additionally, all 
raised floors not exceeding 2,000 cubic feet in capacity 
should be capable of being flooded with carbon dioxide by 
maeseeGeatimnoses. All raised Eloors exceeding 2,000 cubic 


feet in capacity should have the capability of being flooded 
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with carbon dioxide by manually operated fixed pipe systems 
with underfloor nozzles [Ref. 14: pp. 8-5-13 - 8-5-14]. 
d. Hose Lines 
Hose lines are used by professional fire fighters 
to attack the fire with water. [Ref. 10: p. 19] 
e. HALON 1301 
HALON systems will only be used in addition to 
automatic sprinklers, automatic smoke detection equipment, 
portable fire extinguishing equipment, and manual response 
[Ref. 13: p. 26]. A detailed discussion of HALON systems is 
contained in Paragraph 706 of that reference and Paragraph 
fies Of FEPS Pub 31. It should be noted that at the time of 
this writing NAVFAC had not approved use of the HALON system. 
See ciacdeely, Reguilrements 
The mandatory requirements for fire prevention, de- 
tection, and extinguishment are as quoted below. 
Fire safety. Guidelines concerning fire safety practices 
are provided by NAVFAC DM-8, Design Manual for Fire Pro- 
tection Engineering (NOTAL). Employees will receive pe- 
riodic training regarding emergency actions. Training will 
include at least power shutdown and startup procedures, use 
of emergency power, fire detection and alarm systems, use 
of fire extinguishers, and building evacuation procedures. 
(1) Master control switches that shut off all power to 
the ADP equipment will be installed to override all 
Other electrical controls used during normal opera- 
tions. Facilities with air-conditioning systems not 
designed for smoke removal may include their air- 
conditioning system on the same master control 
Switches. These switches will be located near the 
main entrance to the ADP equipment area and ade- 


quately labeled to prevent accidental shutoff. 
Master control switches for systems processing 


88 





critical applications will be equipped to require a 
sequential shutdown routine. 


(2) Each controlled area will have a sufficient number 
of portable fire extinguishers. Each extinguisher 
will be prominently displayed in an unblocked, 
easily accessible area, no more than 50 feet from 
ADP equipment. Only carbon dioxide or halon fire 
extinguishers will be used on electrical fires. All 
fire extinguishers will be regularly inspected and 
properly maintained. The number and types of fire 
extinguishers on hand will be in accordance with 
local activity fire regulations. 


Smoke Detection. Automatic smoke detection capable of 
early warning will be installed in all areas as required 
by appropriate instructions. 


Cleanliness. Routine cleaning procedures and schedules 
will be established and adhered to. Personnel assigned 
to clean around ADP equipment should only be permitted to 
do so after receiving proper training. An authorized ADP 
facility representative will be present during the clean- 
ing operation. 


(1) Noncombustible wastebaskets with self-closing or 
tight-fitting covers will be provided in each ADP 
equipment area. Burn bags required for classified 
material will be either retained in safes or stored 
in metal bulk-refuse containers approved by OPNAVINST 
sya (0)2 Dae 


(meee omerrouEOrsS EO dust, lint, and static electricity, 
such as outer coats, venetian blinds, and throw 
rugs, will not be permitted in the ADP equipment 
area. 


(3) Air-conditioning filters will be regularly checked, 
cleaned, and replaced. 


(4) Floors will be kept polished, and, if necessary, 
buffed to a hard finish. Waxes which powder or flake 
and steel wool buffing pads should not be used. 
Exercise extreme care when damp-mopping or waxing to 
avoid seepage of liquids through joints or raised 
TOOT Si. 


(5) Carpeted areas will be vacuumed frequently to pre- 
Zewemaccumulation Of GUSt. Antistatic carpeting or 
Boma wii) be used to reduce static electricity. 
[Ref. 4: pp. J-1 - J-6] 
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The guidelines from DM-8 that were referred to in 


OPNAVINST 5239.1A are: 


aA. 


Construction. New structures built to house electronic 
systems should be of fire-resistive or noncombustible 
construction and cut off from other occupancies by 
Ffire-rated walls or partitions. Existing combustible 
construction should be replaced with noncombustible 
construction wherever practical and should be cut off 
from other occupancies by fire-rated walls or parti- 
tions. Additional guidance for construction will be 


EGund in NPPA 75 Electronic Computer/Data Processing 
Equipment, NAVFAC DM-23 Communications, Navigational 


Pls eon Aleit telayirghting, and Federal Fire Council 
Recommended Practices No. 1 Fire Protection for Essen- 
tial Electronic Equipment. 


Protection. Electronic systems shall be protected in 
accordance with NAVMAT INSTRUCTION 11320.8 and the 
tor lowing: 


(1) Manually controlled carbon dioxide hose reel sys- 
tems should be provided in accordance with the 
requirements of NFPA No. 12, Carbon Dioxide Ex- 
tinguishning Systems, except as modified herein. 


(2) Systems should be two-shot type with minimum of 
S300 lbs. COs for primary supply and 300 lbs. for 
reserve. Where the volume of the largest indi- 


vidual cabinet, console, or equipment item re- 
quiring protection exceeds 100 cubic feet, 
additional CO, (both primary and reserve) should 
be provided in accordance with the assumed volume 
method outlined in NFPA Standard No. 12. 


(3) CO> hose shall be 3/4 inch and should be limited 
to 75 feet per reel. Sufficient numbers of hose 
reels shall be provided to reach all electronic 
equipment components with one hose giving con- 
Sideration to equipment layout, aisle arrange- 
ments, and other obstructions. Minimum pipe size 
supplying hose reels should be 3/4 inch. Hose 
nozzles should be designed for discharge rate of 
approximately 100 pounds per minute. 


(4) Raised floor spaces, not exceeding 2,000 cubic 
feet in volume, should be protected by total CO, 
flooding utilizing hose reel systems described in 
the preceding paragraph but with both the primary 
and reserve supplies of CO5 increased by not less 
than 225 pounds each. 
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(5) 


(6) 


(F) 


(8) 


(9) 


Raised floor spaces exceeding 2,000 cubic feet in 
volume showrambe protected by two-shot total Co, 
flooding utilizing manually operated fixed pipe 
S7creis Wihtweundertloor mozzles. €O> supply 
should be independent of the hose reel system 
with capacity of both primary and reserve 
Supplies. 


High pressure 75 lb. cylinders should normally be 
used to supply hose reel systems and fixed pipe 
underfloor systems. Beam scale, designed for use 
with cylinder rack should be provided to permit 
weighing of cylinders without removal from racks. 
Where large quantities of CO j are required, low 
pressure storage may be utilized, provided that 
the installation and maintenance costs are lower 
and a resupply of low pressure CO) 1s readily 
available. 


Quick-opening valves should be provided in the 
supply pipes to hose reels and in the supply 
pipes to underfloor systems. Separate primary 
and reserve releases should be located adjacent 
to quick-opening valves. Primary and reserve 
supplies should not be interconnected, and cas- 
cading type activation of cylinders should not be 
used. Mechanical releases may be cable-type or 
pressure operated type. Electrical type releases 
may be used where emergency power is provided. 


Operating instructions should be posted at each 
Pain Of releases indicating that been the @quiek-— 
opening valve and a release must be operated in 
ereereco Geliver €O> to flose Nozzle or underfloor 
system. Primary and reserve releases shall be 
separately labeled. Where underfloor spaces are 
used as air plenums, instructions should indicate 
that air supply fans should be shut down prior to 
eae application o£ CO>. 


Smoke detection systems should be provided in 
areas where electronic equipment is operated or 
remains energized without continuous supervision 
by personnel. Associated underfloor spaces 
should be similarly protected, except where such 
spaces are used as air plenums. Detection de- 
vices should be of the type which respond to both 
gaseous products of combustion and smoke and 
aha. be Listed by UL, Ine, j=alarms should be 
transmitted to a central location where personnel 
ere in Constant attendance. 
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(10) Provision should be made to transmit alarm sig- 
nals from all COy and smoke detection systems to 
the fire department via the station fire alarm 
system. [Ref. 14: pp. 8-5-10 - 8-5-13] 

Figure 1, adapted from RP-1l and referred to in DM-8, 
is an easy reference for determining fire detection and ex- 


tinguishment needs. These are recommendations. 


Pee ULLEITIES 

The modern conveniences that allow for and help support 
computer facilities also are potential hazards for these same 
systems. This section contains a discussion of electric ser- 
fece, Heating and air conditioning, communications circuits, 
and water and sewage. An assessment of the effects of the 
loss of or the damage to each of these should be made during 
the risk assessment phase. 

Paerelectric Service 

Electric service can affect ADP operations through 

quality--the absence of variations from the normal wave- 
Mengen, Or reliability--the number and duration of occasions 
when the line voltage departs from nominal for periods too 
emg EG be considered transient. A variation is considered 
to be transient when the line voltage is 90% or less of 
nominal for more than 4 milliseconds or 120% or more of 
Berunaieetes more than 16 milliseconds. Transients often oc- 
cur in the morning as energy demands build up. Measurements 


can be recorded for a period of time to determine the average 
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number of transients and outages that occur. This informa- 
tion should be used in the risk assessment. 
Ze eee Conditioning and Heating 

As most ADP people know, computers need to operate 
in a regulated temperature and environment. Heating and air 
conditioning can help by accomplishing the following things. 

e Maintaining the temperature within fairly close limits. 
Temperatures above 30° Centigrade can cause permanent 
damage to hardware. 

® Maintaining the proper humidity for ADP operations. Ex- 
cessive humidity can cause computer cards to swell and 
feed erratically. Low humidity can affect tape hand- 
ling, line printers and ADP hardware. 

e Maintaining contamination free air. Contamination in 
the air can cause the heads to crash on a disk drive. 
Peete Os p. 34] 

A complete review of the facility's air conditioning 
and heating system should be made. Pages 34-39 of FIPS Pub 
31 outline procedures for doing this. For those facilities 
using steam heat, consideration should be given to a system 
for detecting breaks in a steam pipe as a leak could cause 
damage by both heat and humidity. 

3. Water Supply and Sewage 

Water is needed for fire fighting, sanitation and 
drinking. Considerations should be given to the probability 
of a broken water pipe that could cause water to get into the 
Gomputem= | Additionally, dréins sheuld be equipped with check 


valves to keep water from backing up out of the sewer system 


end inumddeing the Computer. [Ref. 10: p. 22] 
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4. Communications Ssecumaty 


For any system heavily dependent on remote terminals, 
an analysis should be made of the reliability of the communi- 
cation system linking the terminals and computer. Specific 
guidelines are outlined on pages 39-42 of FIPS Pub 31. Com- 
munications security also concerns the safe transmission of 
information so that unauthorized individuals can not obtain 
Becess COQ it. Further discussion of this topic is presented 


in Chpater VII of this thesis. 


Sand acory Requirements 


The following requirements are mandatory in accor- 
dance with OPNAVINST 5239.1A. 


(1) Lighting and Electrical Service. Adequate lighting of 
the central computer facility and remote terminal 
areas will be provided and maintained. Emergency 
lighting will be provided to ensure safe exit in emer- 
gencies. Reliable electrical power will be provided. 
An uninterruptible power source may be required if the 
facility criticality requires constant ADP support. 
Voltage regulators or other electronic devices may be 
necessary to reduce or prevent serious fluctuations 
in current. Periodic checks will be made of the emer- 
gency lighting and the auxiliary power to ensure per- 
formance and operability. 


(2) Temperature and Humidity. Whenever possible, ADP 
equipment will be operated within the manufacturers' 
optimum temperature and humidity range specifications. 
TO prevent excessive temperature and humidity fluctua- 
tions, all doors and windows to the central computer 
facility and remote terminal areas should be kept 
closed, and only key designated individuals should be 
permitted to regulate the environmental controls. To 
maintain a constant record of the temperature and hu- 
midity, a recording instrument should be installed and 
placed where it can monitor the air leaving the ADP 
equipment area. As a safety feature, an adequate 
warning system should be installed and maintained to 
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warn of near-limit conditions, so that prompt action 
can be taken to prevent ADP equipment damace. 


(3) Precautionary Measures Against Water Damage. False 
ceilings that conceal steam and water pipes will be 
checked frequently, and any irregularity will be re- 
ported immediately. Work scheduled for the ceiling 
and raised flooring areas will be coordinated to en- 
sure maximum safety and minimal disruption. Plastic 
sheets will be readily available to cover the ADP 
equipment units highly susceptible to water damage. 
Equipment exposed to water will not be activated 
until completely dry. [Ref. 4: pp. J-1 - J-2) 

BE. NATURAL DISASTERS 

Natural disasters consist of those elements of nature 
that may cause damage to an ADP facility. The four that 
need to be mainly considered are floods, windstorms, thunder- 
storms, and earthquakes. 

1. Floods 

The ADP security team should analyze the suscepti- 

feisty GF the facility to flooding. FIPS Pub 31 states that 
the following areas are most susceptible to floods: 

@e Riverine flood plains; 

e Coastal flood plains; 

e Stream areas at the base of a mountain. 

If none of the three apply, but the area has a history of 
flooding, then considerations should still be made to in- 
stall sump pumps, drains with check valves and other devices 
designed to minimize flood damage. 

2. Windstorms 


The two most common windstorms for the United States 


are hurricanes and tornadoes. While the possibility of a 
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hurricane doing wind damage to NFC is very remote, the pos- 
Sibility of tornado damage is real. Past experience indi- 
cates that several tornadoes are sighted in Ohio each year. 
The local weather bureau should be contacted to determine 
the annual probability of a tornado or other high winds in 
the Cleveland area. This information should be used to de- 
termine the annual loss expectancy. 
3. Thunderstorms 
Thunderstorms often have an effect on the reliability 
of the electrical service. Calculations should be made of 
the frequency of thunderstorms and the per cent of times that 
they rupture electrical service. This information should be 
included when computing electrical outages. An assessment 
of the damage to facilities and computer that could be caused 
by a lightning bolt should also be included. 
4. Earthquakes 
Earthquakes can cause severe damage to the ADP fa- 
SPlity. Figure 3 on page 25 of FIPS Pub 31 indicates that 
Cleveland is in a zone where only minor damages usually oc- 
cur. However, it is just a few miles from a zone where major 
damage is probable. The National Geological Service should 
be consulted to determine the past occurrence and severity of 
earthquakes in the Cleveland area. 
5. Mandatory Requirements 
There are no mandatory requirements concerning na- 


tural disasters except for the following: 


oe 





The effects of natural disasters will be prevented, con- 
trolled, and minimized to the extent economically feasible 
by the use of detection equipment, extinguishing systems, 


and well conceived and tested contingency plans. [Ref. 4: 
Peo 3 | 
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VI. MANAGEMENT PRACTICES 


There are a number of security measures necessary for an 
ADP facility that should be performed as part of the manage- 
ment function. These measures can be broadly classified 
into the categories of personnel and administrative se- 
curity. These types of measures are not unique to ADP fa- 
Seerities but should be installed for most profit or nonprofit 
organizations. 

A review conducted by Carroll indicates that up until 
1977 there have been three distinct phases of criminally mo- 
tivated computer loss incidents. The first was the assault 
phase, which mainly involved bombing and arson. Damage re- 
sulting from these threats peaked around 1970 and has been 
declining since that time due to the hardening of computer 
facilities. The second phase emphasized penetration. This 
phase consisted of attempts by outsiders to acquire ADP as- 
sets by false input documents or falsely obtaining access 
to time-sharing systems. Losses due to this phase appear 
to have peaked in the 1972-73 time frame. At the writing 
of the book (1977) by Carroll the third phase, involving the 
defection or subversion of employees, was occurring. "These 
attacks include sabotage as well as theft of every conceliva- 
ble kind of asset, both by employees and by conspiracies in- 


volving employees and outsiders. Embezzlements by insiders 
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are clearly the leading source of criminal loss today" [Ref. 
mm: i. Gl). 

The effective countermeasures to the first phase are 
primarily the physical security controls discussed in the 
preceding chapter. The effective countermeasures to the 
second phase are those physical security measures limiting 
access to the facility and the systems security measures to 
be discussed in the following chapter. Damage due to the 
defection or subversion of employees can be reduced by both 
physical security measures (limiting movement within the 
computer facility) and systems security measures. However, 
management practices consisting of personnel and administra- 
tive security are the most effective countermeasures to the 


defection or subversion of employees. 


A. PERSONNEL SECURITY 
The importance of personnel controls can not be over- 
emphasized. As one author states: 


All physical, technical, or administrative security mea- 
sures implemented within a computer system may be rendered 
ineffective by certain dishonest or careless individuals. 
It 1S axiomatic that people represent a company's greatest 
asset, but from a security point of view they are the big- 
gest liability. The potential threats involving personnel 
are multifold; they include not only espionage, fraud, em- 
bezzlement, and theft, but also inadvertent acts of inex- 
perienced, poorly trained, and careless personnel. [Ref. 
oe (Daa | 


Personnel security is defined as, "the procedures established 
Ge ensure that each individual has a background which indi- 


Gates a level of assurance of trustworthiness which is 
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commensurate with the value of ADP resources which the indi- 
vidual will be able to access" [Ref. 4: p. A-14]. The per- 
sonnel program of an organization should work to reduce the 
two vulnerabilities of inconsistent personnel policies re- 
sulting in poor employee morale, and a low level of employee 
training and development [Ref. 9: p. 70]. 
i. "eassiftication of Personnel Controls 

There are three distinct functions that a comprehen- 
Sive personnel program must address. These functions are 
personnel selection, personnel training, and supervision of 
employees [Ref. 10: p. 55]. Each of these functions is 
critical to a successful program and is the subject of 
lengthy discourse in the Federal Personnel Manual. Only 
those parts of the manual pertaining explicitly to ADP func- 
tions will be discussed. 

2. Personnel Selection 

When selecting personnel to fill vacancies, a deter- 
mination of the candidate's qualifications regarding train- 
ing, talent and experience to perform the assigned duties 
should be made. Additionally, when filling sensitive ADP 
positions, verification of the trustworthiness of the candi- 
date should be made [Ref. 10: p. 55]. The Federal Personnel 
Manual classifies ADP positions into three categories. Both 
of the first two categories are considered to be sensitive 


Pesitcions. 
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(1) Critical-sensitive positions--ADP-I positions. Those 
positions in which the incumbent is responsible for 
the planning, direction, and implementation of a com- 
puter security program; has a major responsibility for 
the direction, planning, and design of a computer sys- 
tem, including the hardware and software; or, can ac- 
cess a system during the operation or maintenance in 
such a way, and with a relatively high risk for caus- 


ing grave damage, or realize a significant personal 
gain. 


(2) Noncritical-sensitive positions--ADP-II positions. 
Those positions in which the incumbent is responsible 
Bor the directiom, planning, design, *eperation, or 
maintenance of a computer system, and whose work is 
technically reviewed by a higher authority of the 
ADP-I category to insure the integrity of the system. 


(8) Nonsensitive positions--ADP-III positions. All other 
positions involved in computer activities. {[Ref. 16: 
ee, 732—-4.01] 


These classifications are elaborated on in subsection 
6 of this section. When determining which positions are 
sensitive, the guidelines from FIPS Pub 31 are useful. 


.generally these (sensitive positions) will include com- 
putes @perations, datavcontrol, management, auditing and 
programming (including acceptance testing and maintenance) 
of critical applications and systems. The risk analysis 
foeetaaiaewill usually identify critical interface points. 
Wherever a critical interface involves a single individual, 
the position is probably sensitive. [Ref. 10: p. 55] 


3. Personnel Training 


A surprising number of operations problems and security 
breaches result from promoting an individual into a posi- 
tion beyond his competence. Rather than admit defeat, such 
people have been known to destroy source documents or 
falsify reports in an attempt to conceal shortcomings. 

meet. Ee: pp. 55] 


imeaddition to adequate yeb training, secumity train- 
ing should be continuous. "The purpose of this training is 


to insure that each individual recognizes his vital role in 
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installation security and does not--through familiarity-- 
become careless" [Ref. 17: p. 33]. One key to security 
training is ensuring that personnel are always aware of se- 
curity considerations. This security consciousness can be 
transmitted to all personnel by the following devices [Ref. 
mr 6CUpp. «67 4-/5): 

@® Position Descriptions. All ADP position descriptions 

should contain a detailed list of responsibilities re- 


garding ADP security. 


e Employee Orientation. All new employees should receive 
an ADP security orientation. 


e Bulletin Board. A special security bulletin board 
should be installed on which all new security regula- 
tions will be posted. Employees would be expected to 
initial the regulations after reading. 


e Posters. A number of posters concerning ADP security 


are available. These can be used to serve as a constant 
reminder. 

e News Media. If the organization has a newspaper or cir- 
cular, articles concerning ADP security should be 
imneluded . 

@e How-to-do-it Instructions. Instructions for implement- 


ing ADP security plans can be used for training. An 
example of this might be the written instructions of 
what each individual is to do in the event of a fire 
alarm. 


e Training. Regular training classes using films, lec- 
turers, seminars, and similar devices should be held to 
maintain employee awareness of security and to inform 
them of new threats, vulnerabilities and countermeasures. 

Aeepace Of the training plan, all employees should 


be aware that if any of the following conditions occur, it 


should be reported immediately to the ADP security officer 
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et. ee) 6p. (6). A discussion of ADP security training is 
peesented im Chapter X of this thesis. 
4. Supervision 
Supervisors can make strong contributions to the 
security program in the following three ways [Ref. 10: p. 
oe : 


@ He can set the example by complying with security direc- 
tives and can also ensure his staff complies. 


@® He can maintain close effective communications with his 
staff to both identify and reduce the number of dis- 
gruntled employees. 


@ Finally, he can ensure that his subordinates are proper- 
ly trained and competent. 


In addition to the above, there are several other 
steps that supervisors can take to reduce the opportunity for 
Smptoyeer fraud. wrirst of ally, supervisors can help control 
vacations and job rotations. Not only can vacations help 
reduce errors by maintaining morale and reducing fatigue but 
they also help deter fraud because the probability of dis- 
covery is increased when the perpetrator's job is performed 
by someone else, even if for only a short period of time. 
Job rotation reduces risk by improving the level of cross- 
training. It also helps deter fraud because personnel real- 
ize that the next individual who performs that function 
might discover the fraud. The second step that supervisors 
can take to reduce employee fraud is to restrict employees 
from handling their own accounts. When an employee handles 


his own account he is presented with an unnecessary 
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temptation. One method of reducing fraud is by removing 
the opportunity to easily perform a fraudulent act [Ref. 18: 
pe. 38-9). 
5. Termination Procedures 
An often overlooked facet of personnel security is 

the procedures for handling terminated employees. Employees 
who are terminated, voluntarily or involuntarily, are much 
more likely to be disgruntled and therefore present a threat 
to the system. To minimize the vulnerability to the threat, 
the following steps, if applicable, should be performed. 

1. Collect all identification including badges, ID, and 


business cards (new business cards and ID cards indi- 
cating retired status may be considered for retiring 


emplovees). 
2. Revoke all powers of attorney including bank signature 
cards. Change or revoke all codes or passwords to 


which the employee was privy (note that the requirement 
to be able to do this must be considered when selecting 
the strategy for assigning passwords). 


3. Collect all keys (including magnetic stripe cards), 
Signature plates, and other evidences of authority. 


4. Settle all accounts including expense accounts and 
GGum LeESyY accouncs. 


5. Reconcile accounts of any resource over which the em- 
ployee had control, such as petty cash, parts inven- 
tory, or tape library. Where indicated for the 
protection of the employee who will assume accounta- 
bility, an audit should be considered. 


6. Reclaim all proprietary information in the custody of 
the employee. 


7. Remind the employee of any ongoing contractual obliga- 
eiens tO you, including restrictions on use of data £0 
which the employee has become privy in the course of 
employment with you. [Ref. 18: p. 9] 
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6.  Pemcatory Procedures 


The Federal Personnel Manual has issued the following 
policy for screening Federal personnel associated with the 
design, operation or maintenance of Federal computer systems 
and personnel having access to data in these systems. These 
procedures require that: 

(1) In accordance with paragraph 732-1-3 and paragraph 
732-A-4 of the Federal Personnel Manual, ADP positions 
be classified as category I, II, or IIT; 

(2) Personnel be screened in accordance with Chapter 736 
of the Federal Personnel Manual and paragraph 16-214 
Of OPNAVINST 5510.1F, which require that a National 
Agency Check and Inquiry (NACI) be required for em- 
ployment in noncritical-sensitive and nonsensitive 
positions and a pre-appointment full-field investiga- 
tion be required on applicants for critical-sensitive 
positions; 

(3) That personnel in ADP-I positions be reinvestigated 
every five years in accordance with paragraph 736-2-6 
of the Federal Personnel Manual; and 

(4) For all ADP positions a continuing assessment of the 
trustworthiness and reliability of the incumbents be 
made by system managers. [Ref. 16: pp. 732-4.01 and 
732-A-1 ~- 732-A-2] 

Federal guidelines for designating ADP positions are included 
ma Appendix C. 
7. Personnel Audit Checklist 

The AFIPS System Review Manual on Security contains 
an audit checklist on pages 16-24 that can serve as a guide 
for evaluating the personnel program. It was compiled prior 
Semeniceouolication of the ADP position classification scheme, 


however, so it does not address those items. (ReGen: sop. 


16-24] 


106 





B. ADMINISTRATIVE SECURITY 


Elaborate security measures designed into the hardware or 
software of a computer system will not prevent the computer 
Operator from putting two-part paper on a printer and keep- 
ing one copy of classified output for himself or herself, 
nor will they keep an intruder out of the tape library. 
Basic administrative controls are an integral part of in- 
formation security ina data processing environment...." 
Meet. 202 p. 51) 


The preceding guote stresses the need for administrative 
security controls in an ADP security program. Administrative 
security is defined as “the management constraints, opera- 
tional procedures, accountability procedures, and supplemen- 
tal controls established to provide an acceptable level of 
protection for sensitive data. Synonymous with procedural 
security" [Ref. 21: p. 4]. The proper design and implemen- 
tation of administrative controls can reduce the following 
fainerabilities. 


e DP standards are non-existent, or those that exist re- 
late mainly to documentation. 


e Security and control standards are poor, unenforced, or 
do not exist. 


e There are no policies, standards, or procedures in re- 
lation to protection of privacy in systems which pro- 
cess personal data. 


e Controls for data entry and output are not viewed as a 
challenge by systems people and users. Systems are de- 
signed with little consideration of edit checks to pre- 
vent data pollution. 


e Data entry personnel are not trained or are not evaluated 
on their ability to catch mistakes and control their own 
errors. 


e There are no controls over the submission, receipt, and 


Sueeuevor data in batch processing jobs. [Ref. 9: p. 
70] 
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ilies PaencLeles of Seeur Ly Management 


There are three major principles that should be kept 
in mind during the design of administrative controls. These 
principles are separation of duties, the never alone princi- 
ple, and the limited tenure principle [Ref. 15: pp. 46-47]. 

a. Separation of Duties 

The purpose behind the separation of duties prin- 
Ciple is best expressed by Enger and Howerton who write, "The 
responsibilities of users and staff should be divided in such 
a way that collusion between entirely separate groups--an 
unlikely circumstance--1s necessary in order to compromise 
the system. Knowledge of the system must be divided and re- 
stricted so that few people have enough knowledge to carry 
Site a Successful compromise” [{Ref. 22: p. 27]. Within this 
principle there are three subprinciples that should be fol- 
lowed. They are the separation of ADP from the users, the 
Separation of duties within the data processing function, and 
the maintenance of traditional separations. 

iieeeseparation of ADP from Users. The data pro- 
cessing function should not be directly responsible to its 
customer functions but to a common level of management. Ad- 
Gieionaliy, no transactions should originate in the data pro- 
cessing function but should come from the using departments. 
Finally, the data processing manager should be able to show 


that all work done by the data processing function and all of 
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resources consumed by that function were authorized by, and 
on behalf of, an independent customer [Ref. 18: p. 7]. 
ese houaclenee. DULICS Within the Data Pro 
Sesoing Function. Within the data processing activity, cer- 
tain functions should be performed by separate individuals to 
Meevent fraud, or at least to make collusion a necessary con- 
dition for the perpetration of fraud. If the organization 
is large enough, each of the following functions should be 
performed by a separate person. 
® Data entry (e.g., keypunch) ; 
@® Operation--job initiation; 
ee Oceration—--data input (e€.g., tape mounting); 
em Oberation—=—data output (e.g., printer operation); 
e® System programming; 
e System library maintenance; 
® Application design; 
e Application programming; 
@® Program testing; 
e Data definition; 
e Library management; 
e Scheduling; 
Se Ourput distribution; 
® Maintenance programming; 
® Management [Ref. 18: p. 7]. 
In the event that the data processing or- 


ganization is not large enough to warrant different 
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individuals for each of these above functions and it is 
necessary to asSign several duties to the same individual 
Or group, then no individual or group should be allowed to 


Bewrorm both functions of any of the following pairs. 


Ht. Computer operations and computer programming. 

2. Data preparation and data processing. 

5. Data processing and EDP quality control. 

4. Computer operations and custody of EDP media. 

ae Receipt of sensitive cr valuable material and trans- 


mittal of same. 


6. Reproduction, issue, or destruction of sensitive in- 
formation and the granting of authorization for these 
elie s\- 

= Applications programming and systems programming. 

S. Applications programming and data-base administration. 

2B. Design, implementation, and modification of security 


software and anyeorniey LUuNncE lon - 


Meee COntrol of access credentials and any sorter funcreton. 
Peete lS; p. 47) 


One way to help achieve this separation of 
duties is by developing an organizational chart reflecting 
the division of duties and position descriptions that detail 
what tasks are to be performed by each individual filling a 
position. Figure 2 is an organization model which demon- 
Strates the principle of separation of duties. 

(3) Maintenance of Traditional Separation. Long 
before the recent emphasis on computer security, auditors had 


researched and written about the internal controls necessary 


110 





Tepow uotjzeztuebaig Hutssso0rg eyed °*Zg oanbty 

































josyuoy Asviquy suones9IdO uaisog nBisag usisag 
Buissarosg 410 WPS sua) DOE AUETN noneoyddy vonr ouyddy uoneoyddy 
reg /odry qpundio sayndinoy ures8ord Suny oeynueyw JANPISIUNUIpY ZuprausRuy 














I 
WIdySAg 


ré 


auraysis 





aanepuasaidoay 
Ayanrag 


aanryUasadoay 
Ayuanyas 


DAIL UIs II IY 
Aystnoas 















Sunuurisorg 
LUD 3SAg 


SIIIATAS 
Burssarz01g PIP 


Sunuuivsgorg 
suoneayddy 


Suissa 03g PPC 
sOSPucyp 


PPOW uUoHezuedgO SBurssaoi1g vw 


ipa 





in any organization. Arens and Lobbecke list six elements 
of internal control, the second of which is the adequate 
segregation of duties. They further break this classifica- 
eteon down into the following four categories (Ref. 23: pp. 
216-221]. 

Segregation of the Custody of Assets from 
Accounting. Any person who has custody of an asset should 
not also have controls over the records of that asset. Arens 
and Lobbecke continue: 

In an EDP system, any person with custody of assets should 
be prevented from performing the programming function, and 
be denied access to punched cards or other input records. 
As a general rule it is desirable that any person perform- 
ing an accounting function, whether it be in an EDP or in 
a manual system, be denied access to assets that can be 
converted to personal gain. [{Ref. 23: p. 219] 

Separation of the Authorizaiton of Transac- 
tions from the Custody of Related Accounts. If possible, the 
person who has control over the assets should not be allowed 
to authorize transactions concerning the related assets. For 
example, when preparing a paycheck, the individual who either 
determines or can change the amount to be paid to an employee 
should not also be able to sign the check. 

Separation of Duties Within the Accounting 
Function. No individual should be able to enter a new em- 
ployee's name, check mailing address, pay rate or other vital 
information without some control for verifying the informa- 


ellen be@na entered. This 1s for two reasons. First, the 


control measure will help discover unintentional errors and 
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secondly, it reduces the chance of an employee entering 
fraudulent information into the system and collecting the 
resultant paycheck. 

Separation of Operational Responsibility 
from Record Keeping Responsibility. Record keeping should be 
performed as a separate function to ensure that departments 
do not bias the results to show better performance than what 
was actually attained. 

There are two main things that can be done 
to implement the principle of separation of duties: physical 
barriers can be erected and rules can be made. The essential 


physical barriers are: 


1. An EDP media ("tape") library must exist in a secure 
location contiguous to but separate from the computer 
room. 

2. Data preparation (e.g., card punching) must be done in 
a secure area close to but separate from the computer 
BOOM. 

3. Programmers' offices must be physically separate from 


the computer. 


4. The security office must be a restricted area to all 
personnel except those directly connected with security. 


5. The computer room itself must be a secure area re- 
stricted to operators actually on duty or other author- 
ized persons (e.g., maintenance technicians) working 
under strict supervision. 

6. Sensitive waste material awaiting destruction must be 
stored in a secure area well away from the computer 
eon. [Ref. 15: p. 48] 

The methods for making these areas secure 


have previously been discussed under the topic of access 
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controls in Chapter V and the section concerning the handling 


of classified material in Chpater VII. The administrative 


rules needed to implement separation of duties are: 


iL 


ne 


Programmers shall not operate EDP equipment. 
Operators shall neither write nor submit programs. 
Implementation and upkeep of security features (that 
is, modifications to computer operating systems that 
are intended to enhance EDP security) shall be a 
separate, distinct duty. 
Quality control and audit shall exist as functions 
separate and distinct from EDP production operations. 
Peete l5S: p. 49) 

b. The Never Alone Principle 


This principle helps deter fraud by making it 


mandatory that two or more individuals attest to or approve 


certain actions. Based upon the personnel resources of the 


ADP facility and consistent with the threat evaluation, two 


or more people should witness certain security-relevant ac- 


jm1Ons. 


All individuals capable of witnessing the actions 


should be designated by the Commanding Officer in writing. 


After witnessing, the individuals should attest to it by 


Signing a memorandum or log. Consideration should be given 


to applying the Never Alone principle to each of the follow- 


ing actions. 


iE 


Issue and return of access-control items or 
@Srecentials. 


Issue and return of EDP media (card decks, tapes, 
Ste, } 


Systems initialization and shutdown. 
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4. Processing sensitive information, 


Bi. Hardware and software maintenance. 

oe Test and acceptance of hardware. 

7. Modification of hardware. 

Br. Permanent systems reconfiguration. 

9, Design and implementation of data bases. 

ieee Destgn, implementation, and modification of applica- 


tions programs. 


if. Design, implementation, and modification of operating 
systems. 

i eleston, implementation and modification of security 
software. 


13. Changes to documentation. 
H4. Changes to emergency or contingency plans. 


15. Declaration of a state of emergency. 


16. Destruction or erasure of important programs or data. 
17. Reproduction of sensitive information. 

18. Changes to EDP operating procedures. 

19. Receipt, issue, or shipment of valuable material. 


[Ref. 15: pp. 46-47} 
c. Limited-Tenure Principle 
This 1S simply a repeat of the job rotation 
principle discussed in the personnel section. To reiterate, 
...crews should be randomly rotated among shifts, indi- 
viduals should be randomly rotated among crews, mandatory 
vacation periods should be enforced, and provision should 


be made for cross-training so that the practice of limited 
tenure can become a feasible policy. [Ref. 15: p. 47] 
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Ge sceceRLty Start 


Figure 2 indicates that each of the three major di- 
visions--applications programming, systems programming, and 
data processing services--has its own security representa- 
tive. Although this is preferable, it is not mandatory. 
OPNAVINST 5239.1A requires only the following four types of 
security positions on the security staff. 

e® The ADP Security Officer; 

@ Network Security officer; 

@e ADP Systems Security Officer; 

@e Terminal Area Security Officer. 

These positions are the subject of further discussion 
in both section 2.3 of Reference 4 and Chapter II of this 
thesis. Therefore, their importance and duties will not be 
repeated here. It is sufficient to note that they represent 
administrative controls. 

Se eeuaitingmot System 

Another form of administrative control is the act of 
auditing the ADP system. Several auditing establishments are 
available to perform this function. The first of these is 
the activity internal review function. By properly conduct- 
ing internal reviews of ADP functions, internal review offi- 
cers can spot potential problem areas and allow the Commanding 
Officer to take appropriate actions to correct the discrepan- 
Cies. Additionally, if the review 1S properly documented, 


Naval Audit Service personnel can use the internal review as 
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feasts Eeceperforming their audit. In accordance with 
OPNAVINST 5239.1A, internal auditors should place emphasis 
"on the use of valid audit trails and other management con- 
trols in the design and installation of financial and ac- 
Seuneing Systems. At the local activity level, these 
functions also include the responsibility to review unique 
Or critical areas related to the safeguarding of resources 
such as physical security, hardware and software security, 
ema prevention of theft or fraud" (Ref. 4: p. 9-2]. 

Besides performing audits, the Naval Audit Service is 
also a valuable source of information on current literature, 
Barectives, and events concerning ADP security. Therefore, 
the ADP security officer should maintain close liaison with 
the local Naval Audit Service. 

4. Administrative Controls 

The principle of administrative security has been 
discussed but specific controls have not been mentioned. 
This is because they are too numerous to mention. These 
controls can be generally classified as those that are ap- 
plied during the various stages of data processing and those 


that apply to the documentation of systems and programs. The 


Syoecems Auditability and Control Study Phe be 2a | sata lave ws 
tems Management: Management Controls for Data Peccess ung 


[Ref. 25] provide a description of the former controls, and 
Sawyer provides a listing of documentation requirements for 


computer programs (Appendix D). 





Deicmaatory Requirements 
Appendix I to OPNAVINST 5239.1A outlines the security 


and audit controls applicable to the life cycle of ADP sys- 
tems. Additional mandatory controls are published in 


NMAVCOMPTINST 7000.36 [Ref. 26]. 
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Vere ole Mo SE CUR Tien 


The purpose of this chapter will be to discuss systems 
security development and techniques for hardware, software, 
data, communications and emanations. Some systems will be 
combined for ease of discussion in certain areas. 

Certain controls cannot be meaningfully discussed or 
evaluated separately but must be considered as part of an 
overall system. The hardware, software, data and communica- 
tions should be considered together when evaluating a se- 
curity program. For example, hardware and software controls 
are combined together when processing information to restrict 
aca Input and inquiry to authorized individuals. Communica- 
tions devices, which are used to link hardware components, 
use software and hardware security controls to provide se- 
curity. Data is an input to the system, is processed by the 
hardware using software programs, 1S transmitted through the 
communication devices and is an output of the system. There- 
fore, most hardware, software, communication and security 
controls should aid in protecting data and thus are also data 
controls. Although these controls are broken down into dif- 
erent Subheadings within this chapter, the reader should be 
aware that the controls overlap and the implementation of one 
Senerol may positively or negatively affect the need for a 


seemingly unrelated control. 
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A. HARDWARE AND SOFTWARE CONTROLS 
Most Of the current literature on computer controls dis- 
cusses hardware and software features tcgether. That proce- 
dure will be follcwed in this section. Hardware security is 
defined as “computer equipment features or devices used in 
an ADP system to preclude unauthorized, accidental, or in- 
Pentional modification, disclosure, or destruction of ADP 
Besources” (Ref. 4: p. A-8]. Software security is the soft-~- 
ware routines which manage system resources, supervise ac- 
tions within a system, limit access to files, provide audit 
trails and achieve other similar security measures [Ref. 9: 
Po. 92-993). 
iPmecontro | Objectives 
Mair, Woods, and Davis list four objectives of hard- 
ware and software controls. They are as follows: 
ewe Detection of Errors 


Hardware and software controls should be able to detect 
the following three types of errors: 


(1) Errors Generated by the Hardware oy Seem. | Process— 


ing errors can be caused by computer malfunctions, 
interference, worn out parts, electrical irregu- 
larities and other similar incidents. 


(2) Errors Within Applications Programs or System 


Software. 


Pimclerical-Type Errors. These erroms are usually 


made by computer operators or data librarians and 
involve improper console instructions or the 
mounting of incorrect files on peripherals. 


b. Prevention of Unauthorized Access to and Use of Data 
and Equipment. 
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c. Recording of Activities Performed Within the Informa- 
ttemmeerOocessing Facility. 


d. Supporting Effective Utilization of the Computer. 

In modern systems, the scheduling and allocation of 
equipment and jobs is often determined automatically. It is 
essential that the effectiveness of these hardware and soft- 
ware functions be determined. [Ref. 27: pp. 334-335] 

2. Isolation in a Computer System 

According to Carroll, the amount of security in an 
Operating system is largely dependent on the isolation of 
that system. System isolation, in turn, is dependent on the 
processing mode of that system. The processing mode is de- 
pendent on the hardware and software configuration and is 
determined by the following four attributes. 

a. Remote Versus Local 

The local processing mode takes place ina 
secure, controlled access environment for which there is a 
miysically controlled point of access adjacent to the com- 
Butter. Remote processing consists of all other access en- 
vironments, including use of remote terminals. 

b. Serial Versus Multiprogramming 

In serial processing, one job is processed to 
completion before another job is started. In multiprogram- 
ming systems, resources may be shared by two or more jobs 


Simultaneously. 
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Game Batch» Versus On-Line 
For batch processing, all data and instructions 
are submitted to the computer before any job is run. On- 
line processing allows data and/or instructions to be sub- 
mitted while the job is running. 
d. Programming Versus Nonprogramming 
In the programming mode, the user may execute 
any utility or permanent library program supported by the 
system. The nonprogramming mode, however, constrains the 
user to the context of specific programs or pre-established 
imstructions only. 
e. Ranking of Processing Modes 
Following is a ranking of the processing modes 
from most secure to least secure: 
i= bocal, serial, batch, nonprogramming; 


Je Local, serial, batch, programming (conventional over- 
the-counter submission for batch processing) ; 


oer Local, serial, on-line, nonprogramming; 

4. Local, serial, on-line, programming; 

>. neeans, multiprogramming, batch, nonprogramming; 

Ds W@eal, multiprogramming, batch, programming; 

Ds Local, multiprogramming, on-line, nonprogramming; 
8. Local, multiprogramming, on-line, programming; 

a. Remote, serial, batch, nonprogramming; 

10. Remote, serial, batch, programming (an RJE terminal 


On a serial batch system) ; 


11. Remote, serial, on-line, nonprogramming; 
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14. 


lL aye 


6 . 


Sh 


Remote, serial, on-line, programming; 
Remote, multiprogramming, batch, nonprogramming; 


Remote, multiprogramming, batch, programming (usual 
RJE mode encountered today) ; 


Remote, multiprogramming, on-line, nonprogramming 
(remote terminal operation as found in NCIC, CPIC, 
are. ) 


Remote, multiprogramming, on-line, programming. [Ref. 
mee pp. 225-227 | 


Hardware Security Measures 


a. Applications 


Hardware controls are applied by the equipment 


manufacturer and therefore vary with the type of equipment 


and manufacturer. They are designed to ensure that data will 


be read and recorded accurately by the computer peripherals 


and that errors will not be caused by flaws in any of the 


hardware. Mair, Wood, and Davis list the following four ways 


in which hardware controls can be applied. 


(1) 


(2) 


(3) 


(4) 


In the Design of Equipment Elements. Examples of this 
twee. ot control would be a write protect ring that 
protects magnetic tapes from being unintentionally 
overwritten and circuit breakers that would prevent 
damage due to power surges. 


Bie Testing of Equipment Configurations Before Use. 
Manufacturers should ensure compatibility of their 
equipment with the system being used. 


Extensive Preventive Maintenance. Regularly scheduled 
contractor maintenance can help produce a high level 
of hardware reliability. 


Field Replacement of Parts or Components Which Prove 
Troublesome. With the advent of miniaturization and 
mrerochips, on the spot replacement of component parts 
has become easier. [Ref. 27: p. 336] 
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b. Hardware Features that Aid Security 


NBS Special Publication 500-33 lists the follow- 


hardware features that will help achieve system security. 


Positive, unique device identification--devices attached 
through the switched telephone network which offer the 
"hard-wired" self-identification capability or the 
equivalent. Other devices may be identified through 
cabling addresses, "station ID" addressing protocols, 
aaGesO On. 


Devices which offer positive verification of mechanical 
operations (e.g., seek verification in disk devices). 


A print/display inhibit capability for interactive ter- 
minals--automatically controlled by the system. 


Devices to clear the residual contents of buffers, 
electronic storage areas, and all, or portions, of 
portable I/O media. 


Processing units which offer read and write protection 
and two or more privilege states. 


External storage devices designed so that there is no 
possibility of an "undetected mount" situation. 


External storage devices which offer key-operated locks 
that prevent unauthorized removal of portable media. 


A line-break sensing capability for all communications 
equipment. All conditions of potential disconnect/re- 
connect (such as transient noise or other switched- 
network disturbances) should be made known to the system 
so that the system will then be able to invoke device-ID 
reverification procedures. 


A key-operated power on/off switch for remotely-located 
devices. Certain devices (particularly intelligent ter- 
minals and communicating typewriter devices) may have 
major functions (such as transmit, receive, typewriter 
only) controlled independently by key-operated switches 
or a single key-operated multi-function switch. [Ref. 
Zoreoo. L5-lo] 
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4. Software SeeCur lity Measures 


Software controls can be broken down into two basic 
classifications--application programs and operating systems. 
Enger and Howerton also include data base management soft- 
ware in their discussion of software security. That topic 
will not be discussed in this thesis, however. If the reader 
Pememcerested in this topic he is referred to Chapter 7 of 
Reference 22. 

Seopplication Program Controls 

The following exerpt from FIPS Pub 31 provides a 
@norough discussion of programming controls. 
Soe Erogramming Controls 


In line with the recognized objective of generating 
technically sound programs, the ADP security program should 
include controls in the areas of program design, acceptance 
testing and standards. Each of these topics is discussed 
in the following sections. 


Seok. Program Design 


There are five major program areas in which design 
Can contribute to security. First is the inclusicn of au- 
dit trails in the programming process. The basic objective 
1s to make it possible at any point in time to determine 
the status of a given piece of data. In most cases the 
systems analysts and system designers will want to involve 
the auditor in the design phase as he will be able to 
postulate the optimum placement of audit trails and 
wont. ros . 


The second is the development of a test plan that 
will consider all possible elements of input, and the in- 
terfaces and operational aspects of each new program as 
part of the program design effort rather than as an after- 
Eaougniw tt 1S not enough to test a program for ranges of 
likely input; it should also be tested for improbable, il- 
legal and impossible input. [In addition, stand-alone tests 
usually are not sufficient to establish the adequacy of a 
given program or module. Not all programs need to meet the 
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Same test criteria; the stringency of the testing should 

be a function of importance, complexity and sensitivity. 

Development of written testing guidelines tailored to the 
needs of the ADP facility is an important step in achiev- 
mig geod control. 


The third control area is program change. Pro- 
grams should be designed to simplify installation of future 
changes. Every change, even those involving only one 
statement, should be authorized, approved, and documented 
with no exceptions. Otherwise, control is lost and the 
programming process becomes anarchistic. Program library 
Maintenance packages, as mentioned previously, can help in 
the control and maintenance of program changes. Naming 
conventions are essential to program change control. The 
current trend is toward integrated data definitions for 
all ADP applications, so that every element will be unique. 


Controls on the accuracy of data records are the 
fourth design objective. There are a wide range of possi- 
ble checks including keypunch verification, computer match- 
ing against predetermined legal values for fields, 
self-checking digits and control fields. Standard de- 

Sign criteria should include the qualitative controls to 
be included in any new application or any revision of an 
Old application. 


Finally, quantitative controls where feasible 
should also be installed during the design process. These 
could include control totals, run-to-run counts (hash 
eemalsiig, trailer records, dollar controls, automatic check- 
pOemec/interruption routines, verification of the output 
andeanpue record counts and the like. Violation of gquali- 
tative and quantitative controls should cause error notifi- 
cations maintained as an error suspense file. 


The need for quantitative and qualitative controls 
should be determined by the risk analysis. If the applica- 
tion is of high value, high risk, or consumes a great deal 
of ADP resources, these controls should receive more atten- 
Bien temanelow risk, low visibility applications. 


6.5.2. Program Installation 


One of the most sensitive points in the programming 
process is the release of an application to the production 
system, and its operation against a live data base. [In- 
Beamon ot a new program should occur only after thorough 
program system tests have been completed and approved. The 
more organizational entities participating in this approval, 
the better the control. The programmer, a testing or 
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@ucaeLey control function, operations, and users should 
melecasetctpace in getting the program from design to final 
acceptance test and into the live system. However, care 
Should be taken to see that approval does not become a mere 
ritual. Each program should receive detailed, independent 
review. Larger ADP facilities may want to consider estab- 
lishing a separate program test and control group. Smaller 
ADP facilities would probably be served adequately by de- 
meitacmopecific procedures for the installation process to 
be carried out by an existing group but with as much re- 
view and separation of responsibilities as is possible. 
Again, no program should be accepted without adequate and 
complete documentation which has been reviewed and approved 
by an independent body. In case of disaster or non- 
availability of key programmers, the ADP facility could 
find itself quite vulnerable to loss if the documentation 
1s inadequate. 


eos Documentation of Controls 


The procedural controls over data, operations, sys- 
tem design, programming and acceptance testing already de- 
scribed must themselves be documented if they are to be 
fully effective. This is often done by preparing documents 
called procedures manuals, operations and user handbooks, 
or similar titles. Responsibility for producing the docu- 
ments may be assigned to a procedures group in a large ADP 
facility. The small ADP facility may call on individuals 
to document their particular areas. In either case, the 
ADP security planner should participate. He should analyze 
the security objectives of the ADP facility as discussed 
above to determine the role of the practices or standards 
in accomplishment of security goals. Based both on these 
security objectives as well as on ADP management goals, a 
procedures program should be formulated for the ADP 
micivettne. [|Ref. 10: pp. 60-62] 


b. Operating System Controls 
An operating system is defined as: 


An integrated collection of service routines for supervis- 
ing the sequencing and processing of programs by a com- 
puter. Operating systems control the allocation of 
resources to a user and their programs and play a central 
role in ensuring the secure operation of a computer sys- 
tem. Operating systems may perform debugging, input- 
Sueoueeaccounting, resource allocation, compilation, 
storage assignment tasks, and other "system" related func- 
tions. Synonymous with terms such as "Monitor," Executive," 
"eControl Program," and "Supervisor." [Ref. 4: p. A-13] 
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Enger and Howerton state that the following se- 


curity features should be included in an operating system. 


The operating system should maintain an unbroken audit 
trail. The design should not allow a user to disable 
audit controls or to access all system information. 


User jobs should not be permitted to read or write out- 


Side an assigned storage area, and a user should not be 
ablt to access the monitor or supervisor mode. 


Maintenance personnel should not be able to bypass 
security controls while performing maintenance work. 

At such times the system is vulnerable to errors or 
intentional acts of the maintenance personnel or anyone 
else who might also be on the system and discover a 
vulnerability (for example, microcoded sections of the 
operating system may be tampered with, or sensitive in- 
formation from on-line files may be disclosed). 


When restarting after a system crash, the system should 
verify that all terminal locations which were previously 
occupied are still occupied by the same individuals. An 
operating system crash should not expose valuable in- 
formation such as password lists or authorization tables. 


The operating system should erase all scratch space as- 
Signed to a job after the normal or abnormal termination 
of the job. It should also record that multiple copies 
of output have been made from spooled storage devices. 


Files should not be read or written without having been 
opened by a program instruction, and inconsistencies 
should not be introduced into data because of simul- 
taneous processing of the same file by two jobs. 


The operating system should protect a copy of informa- 
tion as thoroughly as it protects the original. 


ae Mandatory Procedures 


In accordance with OPNAVINST 5239.1A, the following 


hardware and software security measures are mandatory. 


3 4 HARDWARE AND SOFTWARE SECURITY FEATURES. A combi- 
nation of hardware and software features is essential to 
pROvEdompEctcction for data stored or processed in a 
Besoumeemaharing ADP system authorized to process Level I 
Or II data. While all of the following features may not be 
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available in current hardware or software or a combination 
thereof, they will be provided at the earliest date that 
the state of the art permits. The available hardware/ 
software features outlined below should operate unabridged 
whenever Level I or II data is contained in the resource- 
sharing ADP system, and measures will be implemented to 
provide special controls over the access to or modification 
of such features. Where possible and practicable, such 
features should contain two or more independent controls 
which would have to malfunction simultaneously for a breach 
of system security to occur. 


a. The execution state of a processor should include one 
Or more variables, 1.e., "protection state variables," 
which determine the interpretation of instructions 
executed by the processor. For example, a processor 
might have a master mode/user mode protection state 
variable, in which certain instructions are legal 
only in master mode. Modification of the protection 
state variable will be constrained by the operating 
system and hardware such that a user cannot access 
information for which the user has no authorization. 


bee Gee ability of a processor to access locations in 
memory (hereinafter to include primary and auxiliary 
memory) should be controlled. (For example, in user 


mode, a memory access control register might allow 
access only to memory locations allocated to the 
user by the operating system.) 


Gem ne Operation of certain instructions should depend 
@m the protection state of the processor. For ex- 
ample, instructions which perform input or output 
operations would execute only when in master mode. 
Any attempt to execute an instruction which is not 
authorized should result in a hardware interrupt 
which will permit the operating system to interrupt 
and/or abort the program containing the illegal 
ist luct lon . 


d. All possible operation codes, with all possible tags 
@e Moc tiers, whether legal or not, should produce 
known responses by the computer. 


e. All registers should be capable of protecting their 
contents by error detection or redundancy checks. 
These include registers which set protection state 
Weriaeles, control input or output operations, exe- 
cute instructions, or which are otherwise fundamental 
to the secure operation of the hardware. 
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Any register which can be located by the operating 
system should also be storable, so as to permit the 
operating system to check its current contents 
against its presumed contents. (The term "register" 
as used in paragraphs e and f refers primarily to 
index or general purpose registers rather than an 
lsolated address of a single storage location within 
the computer.) 


Error detection should be performed on each fetch 
cycle of an instruction and its operand (e.g., parity 
check and address bounds check). 


Error detection (e.g., parity checks) and memory 
bounds checking should be performed on transfers of 
data between memory and storage devices or terminals. 


Automatic programmed interrupt should function to 
control system and operator malfunctions. 


The identity of remote terminals for input or output 
Should be a feature of hardware in combination with 
the operating system. 


Read, write, and execute access rights of the user 
should be verified on each fetch cycle of an instruc- 
tion and its operation. 


The user should not have access to the operating sys- 
tem. A program operating in a user mode should be 
prevented from performing system control functions. 
As much of the operating system as possible should 
run in the user mode (as opposed to the master mode), 
and each part of the operating system should have 
only as much freedom of the computer as it needs to 
do its job. The operating system will contain con- 
trols which provide the user with all data to which 
the user is authorized access, but no more. If such 
controls are not feasible, output products will be 
generated only within the central computer facility 
under the cognizance of the ADPSSO. As a minimum, 
the operating system will control: 


(1) All transfers of data between memory and on-line 
storage devices; between the central computer 
facility equipment and any remote device; or be- 
tween on-line storage devices 


(2) All operations associated with allocating ADP 


system resources (e.g., memory, peripheral de- 
vices, etc.); memory protection; system 
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interrupt; and shifting between user and master 
protection modes 


(3) Access to programs and utilities authorized to 
perform the various categories of maintenance 
\e.G-,mOperbaeions which affect authorized addi-— 
tions, deletions, or changes to data) on the 


operating system, including any of its elements 
and files 


(4) All other programs (user programs) so that ac- 
cess to data is made via an access control and 
identification system which associates the user 
and user terminals in the ADP system with the 
material being accessed 


Test and Debugging Programs. For ADP systems author- 
ized to process Level I classified data, user appli- 
cation programs and systems programs which do not 
violate the security or integrity of the ADP system 
may be debugged during system operation, provided 
that such activity is limited to the user mode. All 
other system software development, experimentation, 
testing, and debugging will be performed on a system 
temporarily dedicated for these purposes. 


Clear System Procedures. Procedures will be availa- 
ble for clearing from the system, or making inacces- 
Sible, all Level I classified data during operations 
without the required protection. 


Shutdown and Restart. For ADP systems authorized to 
process Level I classified data, the operating sys- 
tem will provide security safeguards to cover un- 
scheduled system shutdown (aborts) and subsequent 
restart, as well as for scheduled system shutdown 
and operational start-up. 


Other Fundamental Features. The following features 
of the operating system are also considered fundamen- 
tal to the secure operation of an ADP system. Un- 
authorized attempts to change, circumvent, or 
otherwise violate these features should be cetectable 
and reported within a known time by the operating 
system, causing an abort or suspension of the re- 
Sponsiole wser activity. In addition, the incident 
will be recorded in the audit log, and the ADPSO 

Moe lfied, 


(1) Memory/sotrage protection. For ADP systems au- 
thorized to process Level I or II data, the 
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(2) 


(3) 


(4) 


(>) 


(6) 


operating system will protect the security of 
the ADP system by controlling: 


(a) Resource allocation (including primary and 
auxiliary memory) 


(b) Memory access outside of assigned areas 


(c) The execution of master (supervisory) mode 
instructions which could adversely affect 
the security of the operating system. 


Memory residue. For ADP systems authorized to 
process Level I data, the operating system will 
ensure that Level I data or critical elements of 
the system do not remain as an accessible resi- 
due in memory or on on-line storage devices. 


Access controls. For ADP systems authorized to 
process Level I or II data, access to Level I 
and Level II data stored within the ADP system 
will be controlled by the ADPSSO, as required by 
cognizant authority, or by automatic processes 
Operating under separate and specific controls 
within the operating system established through 
hardware, software, and procedural safeguards 
approved by the ADPSSO. 


Labels. For ADP systems authorized to process 
Level I classified data, all Level I classified 
data accessible by or within the ADP system will 
be identified as to its classification and ac- 
Gess or dissemination limitations, and all out- 
put of the ADP system will be appropriately 
marked. 


Lamia etdenitttlecat Jon. On Abe SyStems au 
thorized to process Level I data, manual and 
administrative procedures and/or appropriate 
hardware/software measures will be established 
to assure that the terminals from which person- 
nel are attempting to access Level I classified 
data have been protected and that users are 
authorized such access. Where a terminal iden- 
tifier is used, for this purpose, it will be 
maintained in a protected file. 


User identification. Where needed to assure 
control of access and individual accountability, 
each user Or SpeCLE1SG Group Gf users Gf an ADP 
system authorized to process Level I or Level II 
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data will be identified to the ADP system by 
appropriate administrative or hardware/software 
Measures. Such identification measures will be 
in sufficient detail to enable the ADP system 
to provide the user only that data and ADP pro- 
ducts which the user is authorized to receive. 


q. Application. For ADP systems authorized to process 
bevel I or If data, an audit log or file (manual, 
automated, or a combination of both) will be main- 
tained as a history of the use of the ADP system to 
permit a regular security review of system activity. 
For example, the log should record security related 
transactions, including each access to a data file 


and the nature of the access (e.g., log ins, produc- 
tion of accountable outputs, creation of new data 
Files, and all files copied). Each accountable file 


successfully accessed regardless of the number of 
individual references during each "job" or "“inter- 
active session" should also be recorded in the audit 
log. Much of the material in this log may also be 
required to ensure that the system preserves informa- 
Eton Entrusted to it. (Ref. 4: pp. J-6 =- J=10] 


meee DATAweSECURITY 
Data security is defined as "the protection of data from 
meeidental or malicious modification, destruction, or dis- 
meosure’ (Ref. 21: p. 8]. 
1. General Principles 
FIPS Pub 31 provides the following guidelines on data 
eomtrols. 

Aeeiacetrom Conventional internal controls, the ADP se- 
Suetey ebanner should particularly verify control and pro- 
tection of data files. Care must be taken to see that 
information which has been designated as sensitive under 
Federal regulations is properly safeguarded when ee 
entered into ADP data files. This may require special 
handling, segregation or other techniques similar to those 
used for national security information. 

The ADP security planner should also evaluate physical 


handing ctedata files at all points. He should examine 
miewmeloweort data through the ADP facility to identify 
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points at the input/output interfaces, during handling, 
and during custodial storage, where controls may be needed 
to safeguard against possible loss or destruction--and 
equally important to assure that a loss will be detected. 
The ADP facility should follow defined procedures in case 
data is lost. Manual control techniques might include 
tape/disk movement control forms, inventory logs, authori- 
zation for use and special handling for critical items. 


The use of a computer system for control of data files 
deserves special consideration if there are a large number 
of files. Many vendor supplied tape or disk library man- 
agement systems provide logging and control of tapes by 
volume, serial number and name; prevent unauthorized de- 
struction of a data file; and provide automatic backup fa- 
cilities. Such systems handle both on-line and off-line 
files. 


Similar systems are available to manage a program li- 
brary. The typical system allows continual modification 
of a program which is being developed while retaining all 


previous versions. It protects against unauthorized modi- 
fication, and helps with the management of program modi- 
fications. Such packages, whether purchased or developed 


in-house can be very useful for management and control of 
data and program files. 


In pre-computer days it was axiomatic to lock up sensi- 
tive or important information, ledger books and vital re- 
cords ina desk drawer, file or safe when not in use. The 
Same principle should also apply to valuable computerized 
data. The tape library should be locked when unoccupied 
and unauthorized persons should be excluded. Data safes 
and vaults, and data control rooms should be protected in 
accordance with the sensitivity and value of the material 
(data) stored within. The exposure to magnetic fields 
should be evaluated realistically and reasonable protec- 


tive measures taken. Computer printouts should be de- 
stroyed in accordance with sound procedures to prevent 
disclosure. It does little good to develop extensive se- 


curity controls against theft of data from the computer or 
programming area and then allow the same information to be 
available from waste baskets, loading docks or trash heaps. 
The ADP security planner should be sure that data control 
requirements are properly reflected in the physical pro- 
BeGelon program. (Ref. 10: p. 59] 


hee Mandatory Procedures for ADP Media Security 


ADP media are the various substances, material or de- 


vices used to store data or information in an ADP environment 
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meet. 4: p. C-l]. These media include magnetic tapes, 
disks, diskettes, disk packs, paper tape, punch cards, aper- 
mee Cards, cathode ray tube (CRT) displays, hard copy out- 
Bae, core storage units, mass memory storage units, printer 
ribbons, carbon paper, and computer output microfilm/micro- 
fiche. The security requirements for ADP media are discussed 
in Appendix C of Reference 4. The parts applicable to the 
Navy Finance Center have been extracted and are included be- 
low. Additionally, the applicable portions of mnelostme. 14 
to SECNAVINST 5211.5C [Ref. 29], which states the Department 
of the Navy guidelines for safeguarding personal information 
in ADP systems, are included. The Department of the Navy has 
broken ADP media into two basic categories--each of which has 
its own applicable security controls. 

(1) Working Copy Media--Media that is temporary in nature 
(retained for 180 days or less) and stays within the 
confines and control of the activity. 

(2) Finished Copy--Media that 1s permanent in nature and 
can be released to another activity only if released 
by other than electrical means. 

a. Classification of Media 
Currently, the Navy Finance Center has data with 
two different classification levels--Level II and Level IIIf. 
(1) Level II Data. Level II data is unclassi- 
ted data requiring special protection such as Privacy Act 


data. Personal information, which falls under the Privacy 


Act, 1s defined as: 
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‘ 


..-information identifiable to an individual that is inti- 
Mate or private, such as information pertaining to an indi- 
vidual's financial, family, social, and recreational 
affairs, or medical, educational, employment, or criminal 
Mmest@Ly; OF information that identifies, describes, or 
affords a basis for inferring personal characteristics. 
(Ref. 29: p. 1 of enclosure 14] 
The order goes on to state that access to personal informa- 
tion shall be limited to those authorized individuals of DOD 
agencies that need the information for the performance of 
official duties. 
(2) Level III Data. Level III data is all un- 
classified data that is not included in Level II data. 
Although, technically, Level II data is un- 
classified, Mr. Duane Fagg, Program Manager of Security, 
NAVDAC, indicated that many ADP installations within the De- 
partment of the Navy treat it as classified data and follow 
the security procedures for classified data. Therefore, the 
following guidelines for security controls, security mark- 
ings, and declassifying and clearing procedures will contain 
the requirements for both unclassified, Privacy Act, and 
classified data. 
b. Security Controls 
These are the minimum essential security controls 
for ADP media. Additional controls, if needed, can be 
included. 


(1) Unclassified Data. Both working copy and 


finished media will be controlled by Navy Finance Center SOPS 
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which will ensure that an "adequate level of protection” is 
provided. 

(2) Privacy Act Data. All intermediate (working 
copy) and final ADP products shall be controlled. ADP media, 
both working copy and finished, shall be labeled to warn in- 
dividuals of the presence of personal information and the 
need for proper handling. Procedures shall be established 
for accounting for personal information in a computer fa- 
cility and for transferring storage media containing personal 
information. These accounting procedures shall include ap- 
propriate inventory control measures which will be documented. 
For each processing period (shift) a designated person will 
be responsible for ensuring that the policies for the protec- 
tion of personal information are enforced. [Ref. 30: p. 6] 

(3) Classified Data. Working copy media will be 
dated when created, marked with the highest classification of 
any data within, protected and stored in accordance with 
OPNAVINST 5510.1F and destroyed in accordance with the same 
reference when no longer useful. 

Finished media will be marked in accordance 
with section 4 of this chapter and controlled and accounted 
for in accordance with OPNAVINST 5510.1F [Ref. 30]. 

c. Security Markings 

The security marking procedures for unclassified 

and classified data indicated in Section C.3 of OPNAVINST 


5239.1A will be used. Additionally, the below listed security 
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marking requirements for Privacy Act Data will be followed. 
[Ref. 4: p. C=-3] 

Any media that contains personal information 
subject to the Privacy Act will have the following external 
warning: “PERSONAL DATA--PRIVACY ACT OF 1974". If the media 
is classified in addition to containing personal information, 
a classified label shall be used in lieu of the Privacy Act 
labeling. Any one or more of the following methods can be 
Msoed fOr the warning [{Ref. 30: para. II.J]: 


@® Computer generated page markings that conspicuously 
identify products as containing personal information. 


e Stamps or labels. 

@® Cover sheets warning that the contents of the product 
contain information covered by the Privacy Act. These 
sheets would then be attached to the product. Magnetic 
storage media would not be subject to this form of 
marking. 

dad. Declassifying and Clearing Procedures 
Declassifying ADP media is a procedure to erase 

totally and unequivocally any and all classified information 
stored on that media. Clearing ADP media is a procedure used 
to erase classified information but it 1s not as thorough as 
declassification procedures. Clearing is done when the media 
will remain within the facility and is usually done for media 
which will be reused. Declassification 1s required for media 
which is to be released outside the facility [Ref. 4: pp. 


C-5]. Procedures for declassifying and clearing various ADP 


media are outlined in Sections C.4 and C.5 of OPNAVINST 
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5239.1A and therefore will not be repeated here. It should 
be noted that these procedures pertain to classified data and 
would therefore not pertain to NAVFINCEN unless its Privacy 
Act data was treated as classified data or it later included 
classified data in one of its systems. However, SECNAVINST 
5211.5C, Section IV, does prescribe the following technical 
safeguards for Privacy Act data. 

(1) The use of encryption devices for the sole purpose of 
protecting unclassified personal information trans- 
mitted over communication circuits or processed on 
computer systems is discouraged. 

(2) When magnetic media is transferred from installations 
which process personal information, steps must be 
taken to ensure that personal information is not re- 
leased as residue on the magnetic media. 

(3) One of the following actions should be taken to pre- 
clude the unauthorized recovery of temporary personal 
information on magnetic storage media: 


Erasure by degaussing or overwriting; 


Use of a dedicated pool of magnetic storage media. 
etem29-) p. 2 Of Enclosure 14] 


c- COMMONICATIONS SECURITY 

Communications security is primarily concerned with the 
attacks upon information in ADP systems where such attacks 
are not dependent upon gaining access to protected assets. 


Tt is defined as: 


...the protection resulting from all measures designed to 
deny unauthorized persons information of value which might 
be derived from the possession and study of telecommunica- 
tions, or to mislead unauthorized persons in their inter- 
pretation of the results of such possession and study. 
Also called COMSEC. Communications security includes 
cryotosecurity, transmission security, emission security, 
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and physical security of communications security materials 
and information. [Ref. 4: p. A-5] 


Besides preventing unauthorized persons from obtaining 
information, the system should also be designed to prevent 
unauthorized individuals from entering false data and to re- 
Meee Tloise that causes errors (Ref. 19: p. 67]. Patrick 
lists the following general principles that should be fol- 
lowed to help achieve communication security. 


Seve aeoeinciple: ~The physical security of the remote 
terminal where messages are originated and received is of 
prime importance. If the terminal and the communications 
leading to it cannot be secured, use the system only for 
routine transmission. 


General Principle: An unreliable communication system is 
an unsecure one. The quality and integrity of each link 
and each terminal must be investigated to ensure low error 
i[foees @uesecCUrlcy Cannot result. 


cea eeenctole: “fr antelligent terminals and fully 
formulated messages are required to live with an unreliable 
communications system, be sure that the features installed 
to gain reliability do not also increase the risk of 
exposure. 


Bepeual rincmele: Ef store and forward message switching 
computers are used in your system, audit the design and 
Operation carefully, as these constitute an additional set 
of exposures. 


Cate a eee iple: Ei your transmissions are so precious 
as to require encryption, engage services of an expert to 
assist your systems people. It must be assumed that in- 
dustrial spies are experts in their specialty; you must 


form a superior team to achieve the protection you seek. 
BRS eto Dp. 68 | 


ie aecogsapnic Security 
Cryptographic security, which is sometimes referred 


Sema oneccverosectirity, 1s used for classified data control and 


1s concerned with the transformation of the data so as to 
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make it caaeeAnoweap ie eomamy Unauthorized receazver not 
having the necessary key to retransform it into intelligible 
data. This transformation and retransformation of data is 
usually accomplished by an encryption device. However, the 
use of encryption devices solely for the purpose of protect- 
ing unclassified personal data transmitted over communica- 
tions circuits is discouraged unless a comprehensive risk 
analysis indicates that encryption is warranted [Ref. 29: pp. 
5 of Enclosure 14]. Since it is doubtful that a risk analy- 
Sis will determine that encryption devices are necessary for 
NFC Cleveland, they will not be discussed in this thesis. 
Additionally, data encryption is not 100% secure as it is 
frequently necessary to deencrypt data when it enters a com- 
puter so it can be processed. Thus a security hole is cre- 
ated. If further information is desired, the reader is 
directed to paragraph 5.5.2 of Reference 6. 
2 oS LOn Security 

Emission security, which is also referred to as 
emanations security, is concerned with preventing undesired 
Signal data emanations from being received and interpreted 
by unauthorized persons. As with cryptosecurity, emission 
SeeWrlcy is primariWy “used in conjunction with classified 
data and therefore will probably not pertain to NFC Cleve- 
land. Additional information on emission security can be 


Pound INPeeNAVINST C5510.93D. 
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Seosotismtsston Secursty 
..-transmission security is concerned with conducting com- 
munication procedures in such a way as to afford minimal 
advantage to an adversely interested person who is ina 
position to intercept data communictions." [{Ref. 15: p. 
Lost) 

Carroll further states that the need for transmission 
security 1S especially important when two or more computers 
and two or more remote terminals are connected to form a net- 
work [Ref. 15: p. 153]. A number of subjects are included 
under the heading of transmission security but two topics are 
especially stressed. These are the identification of users 
and locations called from and a determination if the user has 
the necessary authorization for the information requested or 
being entered. When designing or reviewing a communications 
system, hardware and software controls should be considered 
to perform the following functions: 


e Authorize and verify all operator sign-ons. 


e Authorize and validate the terminal or node location as 
well as the device type. 


e Use time-of-day authorization codes or other access 
control checks to authorize access to sensitive system 
components. 


e Test for message sequencing to protect against the 
"record and replay" threat. 


e Provide for message rejection and proper notification 
if authorization tests are not met. 


e Validate routing, addresses, message content, and other 
Poumae Constraints ~ 


@e Ensure delivery with positive acknowledgment and 
feedback. 
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e Employ checksums and other positive assurances that the 
message sent was correctly delivered. 


@e Use time-dependent parameters not included in the plain 
text message, or relate responses to parameters hidden 
in a previous request. 

e In "query and response" systems, use an element not in 


the plain text of the query as a factor in the response 
to Vautea@ate it. [Ref. 9: pp. 114-115] 


4. Physical Security of Communications Materials 
Physical security measures have already been dis- 
cussed in Chapter V. Procedures to control physical access 
should be applied to the following communication devices: 
e Terminals and modems; 


e Telephone frame rooms where data are transmitted or 
received; 


® Dedicated communications lines to and from distribution 
Omics; 


e Communications switching centers; 

* TSCA and remote concentrators; 

e All processing nodes in the network. [Ref. 9: p. 114] 

Semmes Considerations 
Abenough not listed as a specific part of communica- 

tions security, as defined by DON, communications integritv 
should be considered when deSigning or reviewing a communica- 
tions system. If the system can not transmit a message 
accurately and in a reasonable amount of time, it may cause 
incorrect or untimely data to be processed. The following 
techniques designed to detect and correct communication line 


errors should be considered. 
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SeetGeetmacetection codes, such as horizontal and vertical 
parity checks or polynomial check codes. 


@e Manually-initiated corrective actions, such as direct 
retransmission, retransmission at slower speeds, or 
retransmission at a later time. 


e Systems-initiated corrective actions, such as automatic 
retransmission if acknowledgment is negative (NAK). 


e Alternative routing schemes, such as those that are a 
part of most distributed networks. 


e Establishment of a technical control center to focus 
communications system control and maintenance activity. 
(This approach enhances reliability, centralized per- 
formance monitoring, diagnosis, and repair functions. 

A technical control center is especially valuable ina 
mixed vendor environment; it helps avoid the usual 
"finger-pointing." However, due to the highly sensitive 
nature of such a facility, particular care must be exer- 
cised over personnel selection, physical protection, and 
procedures.) 


e Backup and redundancy of essential equipment. The ex- 
tent and scope depends on the criticality of the com- 
munications function and the topology of the network 
(a distributed network has some inherent backup caba- 


bility; a hierarchical network is vulnerable to single- 
element failures). Ref. 9: p. 114] 


See amcatory Procedures 

OPNAVINST 5239.1A does not list any mandatory proce- 
dures for facilities processing Level II data. It does, 
however, provide a description of a number of available 
Seuneormeasuces 1n paragraphs §.6 and F.8 [Ref. 4: pp. F-33- 
F-43]. Additionally, control measures for message input, 
transmission, and reception, and accounting are listed in 
Chapter 7 of Reference 24. As for other control procedures, 
a risk assessment should be undertaken to determine which 


controls can be beneficially applied. 
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VIII. CONTINGENCY PLANNING 


The purpose of this chapter is to define an ADP security 
contingency plan and explain how one is best developed. ADP 
contingency plan development is discussed in Chapter 7 of 
OPNAVINST 5239.1A but it shall be amplified upon in this 
chapter. It should be understood that contingency planning 


is just a part of the overall ADP security plan. 


A. DEFINITION 


Contingency planning is an accepted and recommended 
management practice which provides for well thought out 
responses either to preclude or, at least, to mitigate the 
harmful effects of potential disruptive events. Prior to 
Peecpacame Contingency plans for data processing activities, 
1t 1S necessary to perform a risk analysis to determine the 
critical ADP systems and to weigh the threats and vulnera- 
bilities as they relate to the organization. Potential 
emergency situations can then be anticipated, strategies 
for coping with them can be developed, and finally, a pre- 
determination of expected responses to each type of emer- 
gency can be made. Contingency planning should, of course, 
include the actions which must be taken in response to 
major disasters such as floods and hurricanes. However, 
1t 1s essential to remember that due to their greater fre- 
quency of occurrence, minor, more mundane events such as 
hardware and software failures, and operator errors, cause 
Poiememedeet Olsruption of service. Contingency planning, 
if it is to be effective, should include the means to pre- 
vent, or to recover from, minor disruptions as well as 
Satdememeoeme situations. [Ref. 31: p. 3] 


B. SUPPORTING REASONS 


The growing dependence during the past two decades of 
virtually all Federal agencies on ADP resources continues 
today at an unprecedented rate. This expanding dependence 
increases the importance of plans to prevent loss of ADP 
service to vital agency functions and activities. 
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Until very recently computers were widely regarded as 
simply a faster and more cost effective means of performing 
already established manual procedures. Also, when a com- 
puter failure occurred, it was possible to revert to the 
old manual processes with little more effect on the organi- 
zation than inconvenience. Today, however, the computer 
must be considered a means of doing what cannot otherwise 
be done without it. Further, reverting to manual processes 
upon loss of the ADP resources, for whatever reason, is 
usually not practical and often quite impossible. It is 
critical that management recognize this dependence on the 
ADP resources in order to fully appreciate its own role in 
contingency planning. The plans should offer adequate as- 
Surance that any reasonably anticipatable interruption of 
an ADP facility's services will not preclude the continued 
execution of the agency's mission. [Ref. 31: pp. 3-4] 


Besides the logical reasoning in support of ADP contin- 
gency planning, there are formal requirements for contingency 
planning. OPNAVINST 5239.1A requires the preparation, docu- 
mentation, testing and evaluation of ADP contingency plans, 
at the least, on an annual basis [Ref. 4: p. 7-1]. Other 
specific Pee se nient directives that require contingency plans 


met ADP activities follow. 


® Public Law 93-579 (Privacy Act of 1974), Subsection 
3(e) (5) requires that agencies maintaining systems of 


BeGemas sun ject to the Privacy Act shall: “maintain all 
records...with such accuracy, relevance, timeliness and 
completeness as is reasonably necessary...." Further, 


subsection (3) (e) (19) stipulates that agencies shall: 
"establish appropriate administrative, technical, and 
physical safeguards to insure the security and confi- 
dentiality of records and to protect against any 
aieeemedteed threats Or Nazards to their security or 
ise Gm ley..." 


e Federal Property Management Regulations (FPMR). The 
General Services Administration (GSA) has published com- 
prehensive requirements for ADP contingency planning in 
Mmemeeechapter 109i, subparts 1Yi-35 “and 191-36, FPMR. 


e Office of Management and Budget (OMB) Circular A-71, 


Leanwcmietal Memorandum Number 1, July 27, 1978 con- 
tains a wide range of requirements on computer security 
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iMiemwcing Contingency planning. In particular, it re- 
quires that each agency must include in its security 
program policies and responsibilities for assuring that 
appropriate contingency plans are develoved, tested and 
maintained. [{Ref. 31: pp. 5-6] 


An ADP contingency plan for any size ADP facility should 


address, at a minimum, the following three elements: 


ie. 


Emergency Response--Emergency response procedures to 
cover the appropriate emergency response to a fire, 


MiGgoimemvyitl disorder, natural disaster, bomb threat, or 
any other incident or activity, to protect lives, limit 
damage, and minimize the impact on data processing 
Sperablons. 


Backup Operations--Backup operations procedures to en- 
Sure that essential data processing operational tasks 
can be conducted after disruption to the primary data 
processing facility. (Arrangements should be made for a 
backup capability, including the needed files, programs, 
paper stocks and preprinted forms, etc., to operate the 
essential systems/functions in the event of a total 
failure.) 


heeeueey Scevons--Recovery actions procedures to facili- 
tate the rapid restoration of a data processing facility 
following physical destruction, major damage, or loss of 
data. 


To the extent possible, contingency plan documents should 
be brief so as to facilitate their usefulness and accep- 
tance by the users. The plan should be tested on a recur- 
ring basis and modified as changes in the data processing 
facility workload dictate. Critical applications should 
be operated on the backup system regularly to ensure that 
it can properly process this workload. [Ref. 32: p. 6] 


CONTINGENCY PLAN DEVELOPMENT 


Two things are essential to the development of ade- 


quate, cost-effective, and workable contingency plans. 
First, the mission of the parent organization must be 
identified. These usually represent a relatively small 
percentage of the total ADP workload. Second, the re- 
sources essential to the accomplishment of these specific 
functions must also be identified. A formal risk analysis, 


agemcesemmered in FIPS PUB 65, Guideline for ADP Risk Analy- 


Sis, or other similar methodologies, will provide the data 





Poommeviben LOChtr£ication of both critical functions and 
critical resources can be derived. Once this is done, 
preparation of the plan may be begun in a logical, syste- 
matic manner. Generally, the plan is developed in three 
parts--Preliminary Planning, Preparatory Actions, and the 
Pecron Plane PRef. 31: p. 


ELEMENTS OF AN ADP CONTINGENCY PLAN 
The elements of an ADP contingency plan are as follows: 


1. Preliminary Planning (Part One). This part establishes 
ground rules for the remainder of the plan, i.e., it 
describes the purpose, scope and assumptions relevant 
to the plan. It also assigns responsibilities, and 
describes the organizational strategy for coping with 
emergencies. The strategies selected will, to a large 
extent, directly influence the development and amount 
of detail in the following two parts of the plan. 


2. Preparatory Actions (Part Two). This part contains 
sections which describe how the organization is to 
respond to an emergency. For example, instructions 
should be developed which specify how to maintain the 
contents of off-site storage, how to form backup teams, 
how to determine applications and system software re- 
quirements needed for different Situations, and how to 
establish communications requirements. This part of 
the plan is prepared in as much detail as possible 
Since it should be read and studied beforehand by those 
who ultimately must respond to an emergency. 


3. Action Plan (Part Three). This part consists of three 
sections which document what to do when an emergency 
happens. It is not intended to be a tutorial, but 
should state concisely the actions necessary to effect 
the organizational strategies which were selected 
earlier and documented in part one of the plan. The 
three sections of this part are: 





a. Emergency Response Actions. This category includes 
those actions which employees must take immediately 
Meewethne Occurrence Of an emergency Eo protect 
lives and other resources. These actions are ty- 
pically necessary upon the occurrence of major 
events such as tornadoes, floods, fire and earth- 
quakes, as well as in instances of more common 
happenings such as power outages, bursting water 
Pipes, etc. 
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b. Backup Operations Actions. This category includes 
those actions necessary to effect temporary opera- 
tions at an alternate location when operations at 
the home facility are no longer possible for what- 
evcr reason. These may entail transportation of 
files, office supplies, equipment, a variety of 
other materials, and the employees to the alternate 
Site, and the initiation of ADP operations for an 
indeterminate period of time. 


¢. Recovery Actions. This section should describe 
what must be done to restore permanent operations 
at the home facility following a disaster or major 
disruption of service. Included may be plans to 
rebuild the facility, lease alternate facilities 
and equipment, etc. [Ref. 31: pp. 8-9] 


E. STRATEGIES TO BE USED IN CONTINGENCY PLAN DEVELOPMENT 
Strategies that may be used in contingency plan de- 
velopment are as follows: 
Strategy 1--No Hardware Backup 


Some few organizations need an ADP facility to perform 
their mission, but will not be seriously harmed if they are 
completely without it for periods of time possibly as long 
as two weeks. It is the nature of these operations that 
they are rarely, if ever, dynamic, transaction-oriented, 
communications dependent shops. In these few cases in 
which dependence on ADP is not immediate and critical, it 
1s not unreasonable to assume that the original hardware 
can be repaired or replaced at the current or another loca- 
tion in time to avoid major loss provided only that other 
dependencies, such as people, data, and programs, are 
Suitably protected through backup procedures. Believing 


that backup of hardware fFaciMMties is not Eee TeeG is Bao e 
BEE Perenemyustification for ignoring contingency planning. 


Further, a sound risk analysis must support the conclusion 
that no backup arrangement 1s required. 


Strategy 2--Mutual Aid Agreements 


Mutual aid agreements are at least conceptually possi- 
ble when one facility can accept, without serious harm to 
its supported organizations, the critical work of another 
EameGoEiamey inoperative facility. Technically practicable 
transportability of work between two facilities requires 
that data and programs from one be acceptable to the other 
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without other than the most modest change and, preferably, 
no change at all. Rehearsals are essential, and it should 
be recognized that they are usually costly, and generate 
unwelcome disruption to the shop providing backup. The 
rehearsals must include full operability of the critical 
systems of the facility which is down. These practice 
sessions or rehearsals must be thoroughly realistic and 
not, for example, depend on the use of anv resources from 
the inoperative facility for operation at the backup site. 
These are very difficult to conduct in a mutual-aid en- 
vironment. To assure compatibility with the backup systen, 
it is highly recommended that critical applications be run 
(daily, if necessary) at the backup facility as part of the 
normal job stream (with test data, files, etc.). Quite 
often, the site providing the backup support must drop some 
of its less than critical workload in order to provide the 
slpeert tO another facility. Also, the differences in 
security requirements between the sites must be considered. 
For example, clearance requirements at the backup site 

may preclude the entry of operators from the inoperative 
Facility unless prior clearances have been obtained. 


It is difficult at best to make mutual aid arrangements 
totally reliable. Changes in either system (a highly 
likely occurrence) may instantly render the arrangement 
invalid. Further, management shifts may invalidate the 
arrangements with only short notice leaving a previously 
Supported facility without backup. 


While mutual aid agreements are conceptually feasible, 
Ea@everarcly, if ever, prove to be totally reliable. The 
penalty to the shop needing support of discovering in time 
@t meed that backup is not actually available is generally 
too great to warrant complete confidence in this strategy. 


megaeegy s--contingency Centers 


Geomerinagency Centers are facilities established to pro- 
vide a location into which an ADP organization which has 
lost its own facility can move temporarily to reestablish 
foemererateons, either completely or limited to critical 
systems only. These centers may be cooperatively owned by 
Several Guganizations to back up the owners’ facilities, 
or they may be established as profit-making ventures which 
sell rights to their use through membership fees, dues, and 
other charges. The evolutionof these centers is still 
SU Mtemm@ecent--too recent, in fact, for there to be a large 
bedwweor cxperience to support their workability or to pro- 
vide guidance as to the potential pitfalls to be avoided. 
Peeomuemead the feasibility of using such centers is not 
complex, does not seem to have hidden pitfalls, and thus 
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should be relatively easy to do if based upon the results 

of the risk analysis. There are many situations in which 

such centers may well be the most cost-effective route to 

go, while there are others in which they are not an appro- 
priate means of backup. Again, the decision must be made 

on a facility-~by-facility basis. 


Strategy 4--One Facility, More Than One Location 


This is achieved by having ADP in two geographically 
separated locations, the smallest of which is large enough 
to carry the critical workload for the few days needed to 
reestablish the inoperative facility. This strategy does 
not imply the installation of excess capacity great enough 
to carry the critical work--only the physical dispersion 
of the normal capability into two or more locations. The 
economic feasibility of this is based on the frequently 
confirmed assumption that, for the majority of facilities, 
the critical workload is less than 50% (commonly less than 
20%) of the total load so that no increase in total ADP 
Capacity is required. Hardware often does not divide 
cleanly into two halves, but there is usually no require- 
ment to have precisely 50% at each site. Any split which 
Pauliesuit the need for processing the critical work at 
either location is adequate, provided, of course, that the 
BackUp facility converts its workload to include only its 
Sritieal functions. 


Realization of all of the potential benefits of the 
two-location option requires that full capability to run 
Gbitical workload exists at both locations. This generally 
requires availability of the full range of essential skills 
to be available at each site. This might, but does not 


necessarily, mean Significant added costs. However, the 
meaciotiaty Of this depends heavily on the size of the 
Operation being considered. [{Ref. 32: pp. 14-17] 


COURSES OF ACTION TO BE USED DURING RECOVERY PHASE 


The following courses of action should be considered 


during the recovery phase of a contingency plan. 


Mmmmnegamem, Restore Current Facility. ADP Facility 
Damaged--Backup Facilities Available for Critical 


Processing. 


Peeerostem@iauPactlity at Current Site. ADP Facility De- 
stroyed, No Backup Facility/Hardware Available. 





See seria New Facility at Dafferent Location. ADP Fa- 
cility Destroyed, Management Not Satisfied with Current 
Weeation. (Ref. 32: p. 17] 


ITEMS TO BE SUPPORTED DURING CONTINGENCY PLAN 
IMPLEMENTATION 


The following items must be supported in case of an emer- 


gency and a contingency plan must be put into effect. 


1. People; 

2. Data; 

Se SOLEWare; 

4. Hardware; 

5. Communications; 

6. Supplies; 

i Transportation; 

ge Space; 

9. Power and Environmental Controls; 
10. Documentation. 


In case of an emergency, each of the above areas should 


be considered and, hopefully, a plan of action for that area 


would have been pre-developed. 


H. 


SIZE AND DETAIL OF AN ADP CONTINGENCY PLAN 
The value of a plan 1s not necessarily proportional to 
its size. The indiscriminate inclusion of material of 
doubtful value in the plan will seriously downgrade its 
usefulness to the organization. While no recommendation is 


made concerning the length of a contingency plan, most or- 
ganizations should find that the plan will fit comfortably 
in a regular loose-leaf notebook. Continuous effort will 
be required to keep the plan trim and concise, yet suffi- 
Clently detailed to communicate the relevant information. 
(epee s@: pp. 9-10] 
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I. TESTING OF THE ADP CONTINGENCY PLAN 
One of the more important aspects of successful con- 
tingency planning is the continual testing and evaluation 
Seeenewo1an itself. OQOulte simply, a plan which has not 
been tested cannot be assumed to work. Likewise, a plan 
documented, tested once and then filed away to await the 
day of need provides no more than a false sense of se- 
SuLlty.eelne test plans should form a formal part of the 
contingency plan documentation and be as fully subject to 
the review and approval process as the other sections of 
mmeomerames [Ref. 32: pp. 27-28] 
A sample outline of a comprehensive contingency plan is in- 
cluded in Appendix C. 
From the discussion in this chapter, the reader should 
understand what an ADP contingency plan is, why it is de- 
veloped, and the basic ingredients of a sound ADP contin- 


gency plan. Training and emergency exercises that are 


affected by contingency planning are discussed in Chpater X. 
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ice COMNPREANCE SWETH SECURITY DIRECTIVES 


A. COMPLIANCE RESPONSIBILITY 

The commanding officer, local front line supervisors, and 
the ADP security staff are all responsible for ensuring com- 
pliance with ADP security directives [Ref. 4: p. 8-l]. It 
should be noted that, for ADP security, the term "commanding 
officer" includes contracting officers who are responsible 


for administering ADP contracts [Ref. 4: p. A-5]. 


B. SECURITY REVIEW 
Pee oceans D1 lity 

The responsibility to review a command for com- 
pliance with security directives is shared by a number of 
positions and agencies. Commanding officers, including the 
applicable contracting officers, should review their own 
agencies at least every three years to ensure compliance with 
PecUurity Girectives. In addition to the commanding officer's 
review, auditors, Inspector Generals, personnel from the 
Naval Investigative Service (NIS) and all other DON agencies 
and organizations that are involved in investigations, moni- 
toring, review or detection functions at any level include 
in their programs the evaluation of ADP security programs at 


BON activities [Ref. 4: p. 8-1]. 
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2. Elements to be Reviewed 
The commanding officer's review should be comprehen- 
Sive and thorough. Emphasis should be placed on the review 
and testing of contingency plans. The following is a minimum 
list of items that should be included in the review. Addi- 


tional items may be included. 


i Risk assessment review; 

ae Contingency plans review; 

BF Security test and evaluation review; 

4. Accrediation documentation review; 

a Fraud, waste, abuse or theft; 

oe Accidental or deliberate disclosure of information to 


unauthorized persons; 
7. Risk of financial loss; 


8. Infringement on personal privacy or acts contrary to 
Bae rreurvacy Act of 1974; 


Or. Unauthorized destruction or modification of data; 
10. Unauthorized use of DON ADP resources. [Ref. 4: pp. 
8-1 - 8-2] 


mee oeCURETY iNCIDENTS 

iesparesor the best efforts to prevent security inci- 
dents--violations of security regulations--they are almost 
certain to occur. For NFC Cleveland, there are three types 
of security incidents that are likely to occur. These are 
disclosures of personal data, major criminal offenses and 


minor criminal offenses. These latter two types of incidents 
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are often caused by the violation of the Standards of Con- 
duct, which provides that: 

Naval personnel (military or civilian) shall not directly 

or indirectly use, take, dispose, or allow the use, taking, 

or disposing of, Government property or facilities of any 

kind, including property leased to the Government, for 

other than officially approved purposes. Government fa- 

cilities, property, and manpower (such as stationary, 

stenographic and typing assistance, mimeograph and chauffer 

services) shall be used only for official Government 

business. WRet. 332mep. 7] 
The term "Government property" has been interpreted to in- 
clude computer time. 

1. Disclosure of Personal Data 
Whenever personal data protected by the Privacy Act 
of 1974 is improperly disclosed, an incident report will be 
prepared and submitted in accordance with SECNAVINST 5211.5C 
Peet. 4: p. 8-2]. 
2. Major Criminal Offenses 
Major criminal cffenses are defined as offenses 

"punishable under the Uniform Code of Military Justice by 
confinement for a term of more than one year, or similarly 
framed by federal statutes, state, local, or foreign laws 
Memceogulat@dons ([Ref. 34: p. 1]. Ail major criminal of- 
fenses will be reported to NIS for investigation unless they 
are susceptible to administrative resolution without the need 
for professional investigative techniques. Matters that 
could be administratively resolved by a fact finding body, 


informal inquiry or administrative audits and are without 


criminal basis would not be major criminal offenses. 
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Incidents that could be administratively resolved might have 
resulted from accident, negligence, incompetency, or some 
Similar non-criminally motivated reason. Included as major 
criminal offenses is the theft or loss of any serialized 
government property worth $100.00 or more; or unserialized 
government property worth $500.00 or more. Value is defined 
as the greater of current market value or government price 
ioe |Ref. 35; p. lj. It is the commanding officer's re- 
Seensibility to immediately report all major criminal of- 
fences to the nearest Naval Investigative Service field 
@omponent [Ref. 34: p. 1]. 

3. Minor Criminal Offenses 

Minor criminal offenses are defined as offenses 

“ounishable under the Uniform Code of Military Justice by 
confinement of 1 year or less, or carrying similar punishment 
by federal, state, local, or foreign statute or regulation..." 
ieee sae p. 2]. When minor criminal offenses occur the 
investigation capabilities of the command should be used. 
Examples of these organic investigations are military police, 
BeOvOst INarshals, and security or guard forces. Off base 
investigation activities, other than the normal liaison with 
local law enforcement agencies, shall be held to a minimum 


and should pertain only to the immediate area surrounding the 


mistalideion [Ref. 34: p. 2}. 
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D. PROBLEM REPORTING 

Aayeumusual or dlfflGculLe security problems that occur 
during the administration of the security program should be 
reported to the Naval Data Automation Command (NAVDAC). Al- 
though it is not mandatory that these reports be signed, a 
Signature would aid NAVDAC in determining if the problem was 
widespread or restricted to a specific system or command. 
Reports should be in sufficient detail to concisely describe 
the problem and offer any recommended solution. These re- 
ports should be sent to the address listed in paragraph 11.3 


of Reference 4. 
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X. ADP SECURITY TRAINING PLAN 


A good ADP security plan is only as effective as the 
training plan that supports it. Chapter 10 and Appendix D 
of OPNAVINST 5239.1A are excellent guides to ADP security 
training. In this chapter, an attempt will be made to il- 
luminate the high points of OPNAVINST 5239.1A with respect 
to security training while integrating security test and 
evaluation procedures into the plan. 

A. RESPONSIBILITIES 


Commanding officers are responsible for taking appro- 
priate action to provide their ADP security staff with the 
training and experience required. The depth of knowledge 
and degree of experience required in the ADP security staff 
are dependent on the size and complexity of the ADP en- 
vironment and the level of data being processed. 


Bach member of the ADP security staff (after being 
properly trained) is charged with ensuring that activity 
personnel are adequately trained in ADP security. [Ref. 
a> p. 10-1] 


B. FORMAL ADP SECURITY TRAINING 


Two 40-hour ADP security courses will be offered in 
Support of the Department of the Navy security program. 
The first 40-hour course will be a basic course covering 
ADP security policy, risk assessment, accreditation, and 
requirements/plans for contingency planning. The second 
40-hour course will be more advanced for GS 334 11/13's 
and includes audit/inspection techniques and procedures and 
case studies on performing an internal audit, IG inspec- 
tion, and ST&E. It is planned to conduct courses on-site 
at the Navy Regional Data Automation Centers. Course in- 
formation may be obtained from the nearest NARDAC. [Ref. 
vet p=! | 
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The first action that should be taken after security 
staff members are identified should be to send as many of 
these personnel as possible to these formal training courses. 
The greater the depth of knowledge and the more widespread it 
is, the stronger the ADP security program at an individual 


Peelvity will be. 


C. TARGET TRAINING AUDIENCE 
The following personnel are included in the target 
training audience for ADP security: 
1. Customers/users; 
2. Top management; 


Seeepoecurity staff: 


(a) ADPSO; 
(b) ADPSSO; 
(ej) FASO; 
(a), NSO; 


Poenwait, Stati; 
Be IG staif; 
Meee recmmuement staff. (Ref. 4: p. De-2] 
Basically, anyone that uses or benefits from the facility 
Brould be aware of ADP security. This is why it 1s important 
for the Commanding Officer to actively show his support in 


the development of a sound ADP security program. 
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MOPTC AREAS .TO BE COVERED 

Suggested topic areas are as follows: 
General security awareness; 

User security; 

Security administration; 

Change control and computer abuse; 
Software security; 
Telecommunication security; 
Terminal/device security; 

Systems design security; 

Hardware security; 

Physical security; 

Personnel security; 

Puc tt 

Data security; 

Risk assessment; 
Contingency/back-up planning; 
Disaster recovery; 

Sceuriey accreditation; 

Security Test and Evaluation (ST&E) ; 
ADP security and Navy interface. [Ref. 4] 


These ADP security training areas are more fully devel- 


oped in Appendix D of Reference 4. Methods of training and 


persons responsible for conducting the training are further 


Sewineatedein Figure 10-1 of Reference 4. 
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E. NFC ADP SECURITY ENVIRONMENT 

What is the environment at the NFC, Cleveland? Like 
many other Department of Defense (DOD) activities, security 
awareness is only beginning to spread. There is only a small 
nucleus of personnel with any professional training in ADP 
security. This is why ADP security training with emphasis 
on security awareness must be the initial step toward a 
realistic ADP security plan at the NFC. 

The small nucleus of personnel with some computer se- 
curity expertise must be expanded to include a sufficient 
number of people to form the first formal ADP security staff 
at the NFC. This group must be the experts in ADP security 
for the NFC. In order for this group to become experts, they 
must first be afforded the opportunity of formal ADP security 
training. It is recommended that as many members as possible 
of the ADP security staff should attend the aforementioned 
40-hour courses on ADP security that are offered by the DON. 
Security staff development should not hinge upon the availa- 
Pere yveOreorilers for projected staff members to attend the 
formal courses offered by the DON. Other DOD and DON acti- 
vities listed in Chapter 10 of Reference 4 will provide ADP 


Pewieteyeeraiiing assistance Upon request. 


F. SUGGESTED ADDITIONAL TRAINING MATERIALS 
Training provided by external command sources should be 


prefaced by some selected readings on the subject of ADP 
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security. Establishing a library of readings on ADP se- 
curity would be a good goal for the first group of potential 
ADP security staff members. In addition to Reference 4 and 
its bibliography as potential sources of information, the 
following readings and their bibliographies are suggested 
for review: 
1. A thesis prepared by Philip A. Myers that is titled 
Seo uslOns sine Neglected Wspect of Computer Security. 
[Ref. 36] 
2. The Marine Corps Automatic Data Processing (ADP) Se- 
curity Manual (Marine Corps Order P5510.14) that is 
dated 2 January 1981. [{Ref. 37] 
After the initial ADP security staff has achieved suffi- 
cient training to give them creditability, it will be their 


task to coordinate an active ADP security training plan for 


the remainder of the command. 


G. ADP SECURITY TRAINING PLAN DEVELOPMENT 

There are Six basic requirements that should be considered 
in the development of an ADP security training plan. Besides 
Overall ADP security awareness, it has been suggested that 
there are five basic requirements that should be considered 
for ADP systems that handle or process classified information. 
It may be debated that, since the NFC processes only Privacy 
Act data which does not qualify as classified, it is felt 
that these five requirements may apply to the NFC ADP fa- 


cility. The five requirements are as follows: 
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Requirement 1--Marking 


An ADP system which is used to process or handle classified 
or other definitely categorized sensitive information shall 
clearly store and maintain the integrity of classification 
S~mertem sensitivity marking labels for all information. 
The system shall assure that the classified or other sensi- 
tive information is accurately marked when included in out- 
put from the ADP system. {Ref. 38: op. 8] 


Requirement 2--Mandatory Security 


The computer system must be able [to] enforce the formal 
system of information control reflected in the security 
classification designation and special handling restriction 
set associated with the sensitive information handled or 
processed by the ADP system together with the clearance set 
associated with the individuals who may request access to 
miowimrommatrion. (Ref. 38: p. 9] 


Requirement 3--Discretionary Security 
The computer system must be able to enforce access limita- 
tions placed on classified or other sensitive information 
based on identified individuals or groups of individuals 
who have been determined to have a Need-to-~-Know for the 
mironmmarton. (Ref. 38: p. 10] 
Requirement 4--Accountability 
An ADP system which is used to process or handle classified 
information shall make provision for individual accounta- 
bility whenever classified information is generated or 
mecessed., (Ref. 38: p. 11} 
Requirement 5--Continuous Protection 
The security relevant portions of a trusted computer system 
must be maintained under continuous control to assure that 
unauthorized changes have not been made which could pos- 
Sibi sulyvert the system's ability to control classified 
INcOmmacion. Sy y colo aed bea) 

It is suggested that these five requirements serve as 

areas to be considered in the development of the NFC ADP 


Seeterevetsainimg plan. Although the five requirements are 


Seoemccedaveth equal importance, the requirement of 
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Peesuntaorlity must be understood by all persons, clearly 
established, and appropriate action should be taken when ac- 
countability responsibilities are not maintained. 

How does Security Test and Evaluation (ST&E) interface 
with the establishment of an ADP security training plan? 
Before answering this question, we should more clearly es- 
tablish the purpose of STS&E. 

Security Test and Evaluation (ST&E) is a part of the Ac- 
creditation process. The primary purpose for conducting 
an ST&E is to obtain technical information to support the 
DAA's decision to accredit an ADP activity or network. 
{[Ref. 4: p. 6-1] 

With purpose established, the first step of ST&E requires 


individuals with knowledge of the following: 


1. ADP security; 


2. System software/hardware; 

3. Application software; 

4. Telecommunications; 

5. Emanation security; 

6. Physical security; 

7. Personnel, procedural and administrative security; 


Speices, customer functions. (Ref. 4: pp. 6-1 - 6-2] 
H. TRAINING INTERFACE WITH SECURITY TEST AND EVALUATION 
(ST&E) 
The list of knowledge required of individuals to perform 
Seolseeweverlaos with the subjects in a well-developed ADP 
Feetrieyetccaining plan. With the goal of ST&E being ADP 


facility accreditation, the importance of a good ADP security 
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training plan is more clearly established. With the require- 
ment for ADP facility accreditation to be re-established at a 
Minimum of once every five years [Ref. 4], the importance of 
a continually updated active ADP security training plan is 
emphasized. An active ADP security training program should 
ensure that any ADP facility be able to pass ST&E require- 
ments and maintain facility accreditation. 

The purpose of this chapter has been to identify subject 
areas that should be included in an ADP security training 
plan, show the relationship between ST&E and ADP security 


training and provide some suggested sources of ADP security. 
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AI. AUDITING 


A. PURPOSE 

The purpose of this chapter is to establish the need for 
an effective internal audit program to monitor ADP security. 
Internal audit program development and implementation will 
be discussed. Further discussion will be provided on pro- 
cedures that can be used in preparation for an audit con- 
ducted by external auditors. 

There are two types of auditors that will be discussed. 
They are external and internal auditors. The external 
auditor is anyone that is not from the immediate organiza- 
tion, the NFC, Cleveland, Ohio. External auditors with which 
NFC Cleveland, Ohio would be primarily concerned are General 
Accounting Office (GAO) and Naval Audit Service (NAVAUDSVC) 
representatives. “Internal audit within the DON is the re- 
sponsibility of the Naval Audit Service (NAVAUDSVC)" [Ref. 

4: p. 9-1], but for the purposes of this paper the NAVAUDSVC 
will be considered external to the NFC. 

OPNAVINST 5239.1A establishes the relationship between 
NAVAUDSVC and GAO where their two primary standards for 
audit of ADP systems are the same [Ref. 4: p. 9-2]. This 


seems like a logical situation and the establishment of an 
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internal ADP audit organization at the NFC with the same 


standards would be a natural progression of events. 


B. INTERNAL AUDIT 


1. Supporting Reasons 
OPNAVINST 5239.1A clearly states that "external 


audit and audit assistance are not intended as substitutes 
for continuing review of ADP security" [Ref. 4: p. 9-3]. It 
goes on to establish five basic objectives for the internal 
auditor. Objective 5 should be of particular interest to 

NFC personnel in support of the establishment of an activity 
ADP internal audit program. Objective 5 is as follows: 


Objective 5. To provide assurance that ADP systems/appli- 
cations conform with applicable legal requirements. Early 
and continuing auditor review in the design and development 
process should confirm compliance with legal requirements 
through adoption of countermeasures, controlled responses 
to information requests, and conformance with adopted 
Standards. Examples include State and Federal statutes, 
Freedom of Information Act, DOD and DON directives, and 
Federal Information Processing Standards (FIPS). (Ref. 4: 
p. 9-4] 


The following quote from a GAO report further estab- 
lishes why we need a strong internal audit program. 


Federal agencies are placing heavier and heavier reliance 
On computers, with a proportionate increase in vulnerabili- 
ties. The consensus of Government and industry computer 
security experts is that computer security audit, as a 
function of agency internal audit, should be recognized as 
a key element in a system of management control. Agencies 
fawiecnert OL making this important provision for manage- 
ment control. (Ree. 39:0 a0- 546) 


In further amplification of the objectives or purpose 


of the internal audit function, the following is applicable. 
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Internal audit organizations should become involved in the 
design, development, and test phases of a new computer sys- 
tem as a normal part of the audit function to help ensure 
that adequate security is built in before a new system goes 
into operation. Since technical controls usually are an 
integral part of the whole system, and can not easily be 
retrofitted at a later date, these early phases in the sys- 
tem's life-cycle are the optimum time for control safe- 
guards to be incorporated. Independent internal audit 
involvement is highly desirable to ensure that factors to 
enhance auditability, audit trails for security, and 
quality output are designed and developed into new sys- 
tems. Emphasis during these stages may otherwise be on 
operational priorities and implementation time goals at 

the expense of the above goals. [Ref. 39: p. 49] 


2. Problems in Establishment of Internal Audit Function 
With the objectives or purpose clearly established, 
why should there be a problem with the establishment of a 
viable ADP internal audit organization? 


A primary reason for lack of significant internal audit 
involvement in computer security was that most agencies' 
audit organizations do not have adequate personnel with ADP 
expertise. Officials of seven agencies informed us that 
their ADP capabilities ranged from no qualifications to 
perform indepth security type reviews to limited abilities. 


We found little evidence of use of outside contracted 
resources to increase internal audit capability. [In one 
instance, we were told the reason was that the audit group 
did not even have the expertise to specify tasks and pa- 
rameters within which consultants could operate. 


Our September 1977 report on the low incidence of com- 
Puctereeucdit conducted in executive agencies cited auditors” 
lack of technical ADP knowledge as a barrier to performing 
effective ADP audit by the organizations whose involvement 
was found to be inadequate. We recommended to heads of 
agencies that they develop adequate expertise in their in- 
ternal audit organizations. We found that previously cited 
Gomrctemeies are still prevalent. This 1s of increasing 
concern since agencies' operations are becoming heavily 
committed to computers, and computer technology is ina 
dynamic state needing constant monitoring and review. 

Peete eee Dp. 50) 
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With the mandate to establish an ADP internal audit 
program and the problems of establishing a program very 
Clear, what course of action must be taken by NFC Cleveland, 
Ohio to solve its problems and establish a viable internal 
audit function? The assumption has been made that the prob- 
lems at the NFC are similar to those at other government 
agencies. 

3. Internal Audit Plan Development 

The first step that must be taken is to identify the 
potential members of an internal ADP audit staff. Once 
identified, the professional qualifications of each po- 
tential member must be carefully reviewed and deficiencies 
in professional expertise should be identified. It is anti- 

_cipated that obtaining additional professional training for 
members of this group will become a high priority item. It 
1s recommended that the internal ADP audit staff remain au- 
tonomous from the command ADP security staff. While good 
communication links should be established between the ADP 
security and audit staffs, it is felt that the two staffs 
must remain visibly separate in order for the audit staff 

to maintain an image of credibility and continue to perform 
ies Luncedon objectively. It is recommended that as soon as 
possible, even before all members of the audit staff are 
identified, that additional outside professional training be 
arranged for staff members. It should be emphasized to audit 


staff members that additional professional training will be 
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an ongoing endeavor in the rapidly changing environment of 
ADP. Governmental agencies lack personnel with ADP security 
expertise and will continue to lack personnel with expertise 
ie an Ongoing SGdCataona] program is not established at each 
individual command. Who can the NFC obtain assistance from 
in the area of audit program development? The NFC may re- 
quest assistance from the NAVAUDSVC headquarters or one of 
Mes fegiomal offices [Ref. 4: p. 9-5]. It is also suggested 
that as many audit staff personnel as possible should attend 
either or both of the DON-sponsored 40-hour ADP Security 
Courses [{Ref. 4: p. D-1]. Any additional training for ADP 
audit staff members in the areas of ADP security or ADP 
security audit procedures would be most helpful in the de- 
velopment of a good ADP security audit staff. 

What action can the newly formed audit staff under- 
take while they are receiving additional training? They 
should review their ADP system in order to best determine in 
their own minds if they feel that their system is secure. 
What must a secure system be able to do? 

The secure system must be able to identify all attempted 
Violations--accidental or malicious. Any mismatch of user 
or terminal identification, password or lock word, or any 
unauthorized request for processing or data requires some 
reaction. At a minimum, the system should record the at- 
wom emimcmlodeus {Rein 20:5 p. 81) 

When the audit staff understands the basic meaning 


of a secure system, they may then attempt to determine the 


auditability of their ADP system. A checklist that may be 
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used to determine the auditability of an ADP system is given 
below: 


RiGee cope ysoneck list 


1. Are adequate records kept of all attempts to access 
proprietary information? 


2. Is a record kept of all authorized accesses that 
clearly identifies the data accessed, who accessed it, 
and when? 

3. Is a periodic report of all authorized accesses to top- 
priority information or changes to the authorized ac- 
cess tables provided to management? 


4. Is management provided with timely reports of unauthor- 
ized access attempts? 


5. Does management use the provided reports? 


6. Is the record-retention period adequate for these logs? 
Beet 20s. Dp. 81] 


Obtaining adequate professional training, establish- 
ing a common understanding of a secure system and determining 
the auditability of their particular ADP security system are 
three initial actions that must be considered by a new ADP 
Blldit Staff. 

AYgood internal audit program will contain continual 
professional training for its members and an active ongoing 
audit to continually establish the security of the ADP 
System, 

A suggested audit cycle format is listed in Table VI 
Pomme. 94). This audit cycle 15 Just a sample and 
would have to be modified depending on the size of staff, 


expertise of staff and the individual needs of the command. 
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TABLE VI 


ESTIMATED AUDIT DAYS 


pup yect Audit Days 
Preaudit strategy and initial audit meeting 2 
Security organization te 
Perimeter and after-hours security 4 
Entrances je 
Employee identification il 
Nonpermanent employee control 2 
Key control ae? 
Guard duties iL 
After-hours tour 73 
[ncOeLMatlion service functions 3 


(Approximately 2 hours per function) 
HOo=priority document control 2 


New product security 4 
(2 days per unannounced product) 


meade secrets + 
(2 days per trade secret) 


cS) 


Employee awareness 





Destruction = 
Data security 6 
Data processing organization 2 
Computer center access control 1/4 
Data-access control 3/4 
Tape and disk library iy 2 
Bulk transmission 1/4 
Remote computing 3 
System design ye 
Tep=eudority information 1/4 
Writing audit report and final meeting 345 
TOMad. 30 
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The main thing that should be understood is that your in- 
ternal ADP audit program must be an ongoing endeavor that 
is conducted by well-trained professionals. The success of 
your internal ADP audit program will often determine your 
success with audits conducted by sources outside of your 


organization. 
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XIL. SUMMARY 


This paper is intended as a guide to be used by the NFC 
personnel in the development of a viable ADP security plan. 
An attempt has been made to combine the requirements estab- 
lished by OPNAVINST 5239.1A with selected information about 
ADP security from other readings and present them in a manner 
that might best assist NFC personnel in the development of an 
mee security plan. 

The importance of a staff being developed with its pri- 
mary purpose being ADP security cannot be overemphasized. 
Since ADP security 1S a support function for the NFC, Cleve- 
land, it should be realized that the creation of a staff with 
its primary purpose being ADP security will be a problem that 
must be confronted. The establishment of an ADP security 
staff and their professional training in ADP security is the 
first step toward the development of an ADP security plan. 
When a trained ADP security staff has been established and an 
initial draft made of a command ADP security plan, the on- 
going awareness and training of all command personnel will 
Haeemenersotan a success. Chapters on the develooment of an 
ADP security training plan and ways to prepare for an ADP 
security audit have been included. 

The elements that should be included in a comprehensive 


ADP security plan have each had a chapter devoted to them. 
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They include risk assessment, physical security, systems 
security and contingency planning. An additional chapter 
has been included to discuss the necessary managerial pro- 
cedures needed for the implementation of an ADP security 
plan. 

This paper used in conjunction with OPNAVINST 5239.1A 
should provide adequate guidance for the development of an 
initial ADP security plan for the NFC Cleveland. When the 
plan has been developed, its success will depend on the com- 


mand personnel that must update and implement the plan. 
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APPENDIX A 


SECURITY CHECKLIST ASSESSMENT 


SECURITY CHECKLIST ASSESSMENT 


Security/Management/Personnel Yes No Partial 


l. Is there a written overall ADP system 
security plan? 


2. Does any type of internal audit effort 
exist to determine compliance with 
security procedures? 


3. Have the resource impacts of site ADP 
security requirements been fully 
analyzed and identified? 


4, Have ADP security resource requirements 
been entered into command programming ard 
budget documents? 


5. Do you have a formalized contingency plan? 


6. Do your supervisors advise you of a 
possibly disgruntled employee? 


7. Are all employees cleared to the highest 
level of data processed at the installation? 


8. Do you recheck employees periodically? 


9. Are security and operations personnel briefed 
on how to react to civil disturbances? 


10. Have appropriate personnel been briefed on the 
destruction or safeguarding of classified 
material in the cencral computer facility in 
the event the facility must be evacuated? 


11. Do you have people cross-trained to cover all 
funccLans: 


12. Do your personnel know how to handle telephone 
bomb threats? 


iy 





Building/Facility 


Ihe 


9. 


10. 


Is the building structurally sound? 
Is the building on solid foundation? 


Is the building remote from any 
earthquake faults? 


Are building and equipment properly grounded 
for lightning protection? 


Is the computer/terminals housed in building(s) 
which is fire-resistant and constructed of 
non-combustible materials? 

Are there any high risk operations near by? 

Is battery powered emergency lighting provided? 


Are computers excluded from areas below grade? 


Are drains installed on floor above to divert 
water accumulations away from all hardware? 


Do you insist on the elimination of any overhead 
Steam or water pipes except for sprinklers? 


Do you have adequate drainage to provent water 
overhead from adjacent areas? 


Do you have adequate drainage under the raised 
floor? 


Are large plastic sheets available to cover 
equipment for quick emergency water protection? 
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Yes 


No 


Partial 





Power Supply 


1. 


2. 


3. 


Have you monitored your power source with 
recorders to identify electrical transients? 


T£ your system requires motor generators, do 
you have backup? 


Do you have a back-up power supply 
(diesel/elec. etc.) 


Is backup power tested at regular intervals? 


In the event of power failure do you have 
emergency lighting for removal of personnel? 


Are cipher doors and fire alarm systems backed 
up with battery for removal of personnel? 


Do you have emergency power off at all exits 
and within computer center? ~ 


Are emergency power offs protected from 
accidental activation? 


Does the emergency power off also disable 
the environmental control system? 


DIE, 


No 
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Environmental Supply 


ee eee oe 


1. 


2. 


Ts the environmental support system spvecifi- 
cally dedicated to the computer center? 


Do you have backup air conditioning capability? 
Are air intakes: 
a) Covered with protective screening? 


b) Located as to prevent intake of pollutants 
or other debris? 


Is compressor remote from computer room? 
Are duct linings noncombustible? 
Are filters noncombustible? 


Is air temperature and humidity recorded 
in computer environment? 
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No 


Partial 





Fire Protection 


ie 


3. 


o. 


10. 


Ts 


Is the computer housed in a building which is 
constructed of fire-resistant and noncombustible 
materials? 

Is the computer room separated from adjacent 
areas by noncombustible fire-resistant 
partitions, walls, and doors? 

Are flammable or otherwise dangerous activities 
prohibited from adjacent areas or areas above 

or below the computer roon? 


Are ceilings and support hardware (for hung 
ceilings) noncombustible? 


Is raised flooring made of noncombustible 
material? 


Are paper and other combustible supplies stored 
outside the computer area? 


Are file tapes and disks stored outside the 
computer area? 


Are smoke detectors installed: 
a) ein ceiling? 


b) Under raised floor? 
¢) In air-return ducts? 


Do you test the smoke detection system on 
a scheduled basis? 


Does smoke detection equipment shutdown air 
conditioning system? 


Is the computer area protected by: 
a) Automatic carbon dioxide? 


b) Halogenated agent? 


c) Water? 
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No 


Partial 





Fire Protection 


12. 


Lois 


14. 


ES 


16. 


7 < 


18. 


Io. 


20. 


21. 


d) Wet pipe (releases water at a set 
temperature)? 


e) Preaction (may sound an alarm and 
delay release of water)? 


Are operators trained perfodically in fire- 
fighting techniques and assigned individual 
responsibilities in case of fire? 

Are portable fire extinguishers spread strate- 
gically around the area with location markers 
clearly visible over computer equipment? 

Do you hold “fire drills,” regularly? 

Do you have enough fire alarm pull boxes 
within the computer areas and throughout the 
facriity? 


Does the alarm sound? 
a) Locally? 


b) At watchman station? 
c) At central station? 
d) At fire or police headquarters? 


Can emergency crews gain access to the 
installation without delay? 


Do emergency crews respond in a timely 
fashion? 


Do you clean under raised floor regularly? 


Do you prevent accumulation of trash in the 
computer area? 


Are paper and supplies stored outside computer 
room? 


rg 
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No 


Partial 





Fire Protection 


22. 


23. 


24. 


25. 


26. 


27. 


Are tapes and disks stored outside computer 
roon? 


Do you have adequate supply of firefighting 
water available? 


Are emergency power shutdown controls easily 
accessible at points of exit? 


Does emergency power shutdown include air 
conditioning system? 


Do you have battery-powered emergency 
lighting throughout the computer area? 


If access fs via an electronically controlled 


system, can it be operated by standby battery 
power? 
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No 


Partial 





Physical Access Yes No Partial 


I. Are guards posted at entrances. 


Ze Do you have a photo badge system for 
positive identification of employees? 


ae Do you utilize keys, eipher locks, and 
other security devices to control access? 


a) Are keys, ciphers, etc. changed at 
regular intervals and after termination 
of an employee? 


4. Can an individual gain access without the 
knowledge of a security guard or another 
employee? 


5. Is access to the computer area restricted 
to selected personnel? 


6. Do all personnel having unescorted access to 
the system possess a clearance/special access 
authorization equal to or higher than the 
highest classification and all categories being 
processed? 


78 Are all computer operators and system programming 
personnel cleared for the highest level and most 
restrictive category of classified {nformation in 
the system? 


Be Is the central computer facility manned by at 
least two appropriately éleared personnel at all 
times? 


9. Do you have a visitor control procedure? 


10. Are escort procedures established for controlling 
visitors? 
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Physical Access 


1yils 


12. 


13. 


14. 


15. 


16. 


eee 


Is in-house service personnel traffic 


a) Controlled in vital areas? 


b) Supervised? 


Is a list prepared for authorized vendor 


service personnel? 


Is positive identification required for 


vendor service personnel? 


Are vendor service personnel supervised 


while on premises? 


Are vendor employee background checks verified? 


Are dismissed employees of computer environment 
removed immediately, their admission badges picked 
up, the necessary guard personnel notified, and 


their permissions to the system deieted immediately? 


Do you perform background checks on employees 


periodically? 


4 


eS 


No 
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Data Protection 


1. 


Zia 


3. 


10. 


ll. 


es 


13. 


Are files (tape, disk, or card) kept in an 
area other than the computer room? 

a) Is this area fire-protected? 

b) Is access specifically controlled? 


Is your tape library located in an area secure 
from explosion or other dangers? 


Are all data files maintained within and under 
the control of the computer complex rather 
than the user? 


Do you maintain duplicates of all programs and 
data files? 


Do you have a current inventory of such files? 


Are the duplicate files stored in a separate 
building from the originals? 


Do you maintain duplicates of all documentation? 


Are the documentation duplicates stored ina 
separate building? 


Do you review your documentation dackup period= 
ically to ensure its current applicability? 


Do you maintain any type of backup of source 
data for programs under development? 


Is the duplicate filed in a separate building 
from the original? 


Have you held a “dry run” in the past 3 months 
to test the ease and accuracy of your file 
backup system? 


Are changes in programs and documentation 
coordinated and approved by the cognizant areas: 
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No 


Partial 





Data Protection 


14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 


22. 


Are changes made only to a reproduced version 
of the original program file with the original 


left intact? 


Does your tape and disk accountability 


procecure cover: 
a) Frequency of use? 


b) Frequency of cleaning? 


ec) Authorized user? 


Are magnetic tapes and disks filed in an 


orderly manner? 


Te tapes stored vertically? 


Are tapes kept in their containers except 


when in use? 


Are tape heads cleaned every shift? 


Have you considered magnetic detection equipment 
to preciude the presence of a magnet near your 


tapes and disks? 


Do you provide similar protection for your 
tape files while they are ta transit toa 


backup site, etc.? 


Do you use storage vaults specifically 
designed for magnetic media for critical 


tape files? 
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No 


Partial 





bata Protection 


aos 


Do you have documentation standards which 


include: 

a) Logic or flow charts? 

b) Current listing? 

c) Input and output forms? 

d) Output samples? 

e) Copies of test data? 

f) Adequate explanation of codes, tables 


g) 


calculations, etc.? 


Explanation of error messages? 
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No 


Partial 





Operating System 


1. 


10. 


ll. 


ee 


13. 


Are security-override procedures classified 
at the highest level and the use of override 
closely monitored? 


Is program debugging of the security system 
monitored and controlled? 


Are all modifications to the operating system 
monitored by the security office? 


Do you “utilize” passwords to tdentify a 
specific terminal and a specific user? 


Is the password combined with ohysical keys 
or access badges? 


Are passwords changed frequently? 


Is the password protection system really 
tamperproof? 


Does the system software restrict a given 
individual to specific data files only? 


Is access to the “keyword” and “lockword” files 
restricted? 


Are remote terminals available only to 
selected individuals? 


Is access to terminal controlled by: 
a) Locked doors? 


b) Posted guards? 


Is the location of the terminal such that 
each user's privacy {1s ensured? 


Is a monitor program maintained to record all 
access attempts to secure or sensitive files? 


Leg 


No 


Partial 





Overating System 


14, 


15. 


Are dial-up terminals disabled fron 
connection to the system during periods 
of classified processing? 


Do you use a software security routine to 
monitor illegal sign-on or access attempts? 


a) Does this routine notify the operator 
via the console? 


b) Does this routine provide a hardcopy 
record at the end of each shift/day? 


Foo 


No 


Partial 





Software Security 


Ie 


2. 


Have you restricted access to the essential 
programs and software systems on a need-to- 
know basis in the prime and backup areas? 


Do you employ keyword or password protection? 


Are the essential programs, software systems, and 
associated documentation in your Program Library 
located in a locked vault or secure area? 


Have you provided backup files at a secondary 
location for both the programs and the assoctated 
documentation? 


Are programming changes and maintenance well 
controlled and documented? 


Do you restrict terminal users to higher level 
languages to prevent their access to macnine 
language coding? 


Do you use a software security routine to monitor 
attempts to access sensitive files by unauthorized 
users? 


a) Does this routine notify the operator via 
the on-line console? 


b) Does this routine provide a record of all 
such attempts via a printout at day's end? 


Can your own software systems technologists be 
depended upon not to circumvent the normal access 
procedures by use of a special coding thus 
violating the integrity of the system? 


Is a record of all operating system modifications 
maintained until at least the next sofware release? 


OA. 


Yes 


No 
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l. Have you restricted access to the essential 
programs and software systems on a need-to-~ 
know basis in the prime and backup areas? 


2. Do you employ keyword or password protection? 


36 Are the essential programs, software systems, and 
associated documentation in your Program Library 
located in a locked vault or secure area? 


4. Have you provided backup files at a secondary 
location for both the programs and the associated 
documentation? 


Se Are programming changes and maintenance well 
controlled and documented? 


6. Do you restrict terminal users to higher level 
languages to prevent their access to machine 
language coding? 


Ue Do you use a software security routine to monitor 
attempts to access sensitive files by unauthorized 
users? 


a) Does this routine notify the operator via 
the on-line console? 


b) Does this routine provide a record of all 
such attempts via a printout at day's end? 


8. Can your own software systems technologists be 
depended upon not to circumvent the normal access 
procedures by use of a special coding thus 
violating the integrity of the system? 


9. Is a record of all operating system modifications 
maintained until at least the next sofware release? 
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Audit Controls 


1. 
2. 
3. 


4, 


D. 


10. 


oa. 


12. 


Are program changes adequately controlled? 
Is the log-on procedure secure? 
Are all options of all programs really tested? 


Do error reporting and adequate follow-up 
procedures exist? 


Is input data verified against an authorized 
user list? 


Is output data verified against an authorized 
ucer liet? 


Do you spot-check output frequency for possible 
misuse of the system? 


Do you verify all periods of-down time as to 
length and reason? 


Has the facility been evaluated in accordance with 
applicable TEMPEST procedures to determine risk? 


Has all installed ADPE been TEMPEST tested? 
Are all changes, tepairs, and modifications to 
TEMPEST modified ADPE controlled so that 
equipment emanations characteristics are not 


altered? 


Is magnetic detection equipment used? 
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APPENDIX B 


RISK ASSESSMENT DOCUMENTATION 


SAMPLE RISK ASSESSMENT TOAM CHARTER 


SAMPLE RISK ASSESSMENT TEAM CHARTER 


Cane frp: Date 
NARDACNORFOLKNOTE 5450 
Ser: 


NARDAC NORFOLK NOTICE 5450 


From: Commanding Officer, Navy Regional Data Automation Center, 
Norfolk 


Sub}: Risk Assessment Team Charter 
Ref: (a) OPNAVINST 5239.1A 


Snel: (1) Work Plan and Schedule 


l. Background 


a. Reference (a) requires all Navy automatic data processing 
(ADP) activities to perform a risk assessment to determine the 
potential and actual threats and vulnerezpilities which could cause 
disruptions in service or compromise of information. Reference 
(a) States that a riSk assessment 1S to be pnerformed wherever 
major changes occur in hardware or operating systems software, or 
no less frequently than once every five years. Additionally, 
reference (a) outlines chose action items to be accomplished when 
conducting a comprehensive risk assesSment. 


b. The major function of this risk assessment is to provide 
quantitative information upon which decisions regarding the 
selection and imvolenentation of countermeasures can be dese. 
Secondary functions include the documentation of assets and the 
assignment of priorities to work loads. 


2. Objectives. The objectives of the NARDAC Norfolk risk assess- 
ment are to: 


a. Determine the current security posture of the facility 


b. Recommend apprcpriate countermeasures for implementation 


FIGURE H-2 (Page 1 of 5) 
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OPNAVINST 5239.1A 
AUG 3 1982 


SAMPLE RISK ASSESSMENT TEAM CHARTER 


3. Risk Assessment Team Charter 
a. Risk Assessment Team Leader 


(1) Code 30X is designated as the team leader for the 
NARDAC Norfolk risk assessment project with the authority to: 


(a) Report directly to the Executive Officer on project 
matters ; 


(b) Make task assignments to primary and secondary 
team members 


(c) Request information from all sources within N?.RDAC 
Norfolk 


(d) Establish milestones within the framework of the 
risk assessment project 


(2) It is the responsibility of the team leader to: 


(a) Coordinate the activities of team members to minimize 
duplication of effort 


(b) Provide periodic reports to the Executive Officer 
regarding the status of the project 


(c) Make recommendations based upon the risk assessment 
to correct or improve deficiencies 


(d) Consolidate independent studies into a final report 
b. Risk Assessment Team Members 
(1) The primary team will consist of Codes 30X, 50X, and 23. 
(2) Codes 07, O9L, and 40 will supply secondary team 
representatives by name by 5 June 1981 to participate on an as 


required basis. 


(3) Primary team members for the duration of the project 
have the authority to: 


‘, 
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OPNAVINST 5239.1A 
AUG 3. 1982 
SAMPLE RISK ASSESSMENT TEAM CHARTER 
(a) Review all internal command and operating procedures 
and documentation 
(b) Conduct physical inspections 
(c) Hold interviews with NARDAC personnel 
(d) Make privileged mode computer runs 
(e) Establish parameters for accomplishing the project 
(4) The responsibilities of the Risk Assessment Team include 
the investiaation and documentation of all items relating to the 
ADP security of NARDAC Norfolk and the conducting of a risk assess- 


Ment in accordance with Appendix E of reference (a). 


4. Deliverable Products. Upon completion of this project, the 
Risk Assessment Team will provide the following items: 


a. Prioritized Workload Chart 

b. Computer/Peripheral Inventory 

c. Program Inventory 

d. Data File Inventory 

e. Annual Loss Expectancy (ALE) Computations 

f. Threat and Vulnerability List 

g. Recommendations for Corrective Action 

h. Plant Facilities Inventory 
5. Commitment. Personnel from all departments are to provide 
the cooperation and assistance required by the Risk Assessment 
Team. It is the intent of this project to identify problem areas 
sO corrective action can be taken, rather than attribute deficiencies 
to individuals or departments. It is the command's position that 
ADP security requires a commitment by every individual and will 
be enthusiaStically supported by all. 

FIGURE H-2 (Page 3 of 5) 


H=10 


6 





OPNAVINST 5239.4”n 
AUG 3 1932 


SAMPLE RISK ASSESSMENT TEAM CHARTER 
6. Action. Effective immediately the designated team ‘leader 
will form the Risk Assessment Team as specified above aid proceed 


in accordance with the work plan and schedule provided is enclosure (1). 


7. Cancellation Contingency. This notice is cancelled upon receipt 
of the next issuance, 


Commanding Officer 
Signature 


Distribution: 
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SAMPLE RISK ASSESSMENT TEAM CHARTER 


a , 


LNAWWOD 


Gzlatdwod 
alvg 





agvn 
@Lva 


FLVWILSa 
¥ON 
GNODZ5 


aQVhW SLVAILSZ 
a1NvG AIN 
LSUld 


Z1NAZHOS GNV NVId ;WiON 





@LlVa 39 
AZILYWILSF 
TWNIOTYO 


LHOdSY LNAWSSISSY 
MSIN PSITane 


YZILIAIO ONIGNYKHOD OL 
NOILVINASSHd IWNId 


té LISIA 
JONVILSISSY IWOINKDSS 


ATW SSJAIH ONW SSYNSW3INUIL 
“NNOD IWNOILIGCY JLYNIVA3 


SAYNEWVAIKYILNAOD 
IWNOTLIGOW AALS tal 


BIOQTIISO ONIGKHWACD OL 
NCILWINGSaAXd WhHYOA 


3 ; . Be 


SWHHOa ZIV BLIND 


€# LISIA 
AONVISTISSWY IWOINNTEL 


BISNSVIMYAL NOD 
OeldSm@xa BALL gIgG 

ONV SSILIVIGVES. INA 
GNV SIVZEPL 30 SONILYY 
ASILENC GNY ASELNSOI 


@@ LISIA 
FONVLSISSVY WOUND UL 


SLVAYKEL AO ONTLYY 
AIILSAC GRY AAILUIAI 


T# LISIA 
@ONVLSISSV ‘IWOINHOGL 


2NIVA LIVIKI ONV 
SLISSW ASTUNAGT 


WVWEL SDIMD GNV 
SYSWL NOISSY 


WV2L INIWSS3ISSY 
NSTY Weed 


LNRAD 


Enclosure (1) 


(Page 5 of 5) 


FIGURE H=2 


eee 


198 





pee eee ceouie i FORMAT ADP SECURITY SURVEY 


OPNAVINST 5238.1A 


AUG 3 1882 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


SECTION I. Basic Data. (Applies to all ADP systems, networks, 
and OISs) 


1. System Identification: 





( ) Office Information System 
( ) ADP System 
( } Network 
2. System Description: (List all components, main frames, 


peripherals, communications processors, encryption devices, 
remote devices, network and remote interfaces, etc.) 
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OPNAVINST 5239.1A 
AUG 3 1982 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


Equipment Location: 





System Operations Contact for Security: 

Name: Code: 

Bldg: Room: } Phone: 

Types of Data Processed and Security Modes of Operation 


PERCENT OF 
PROCESSING SECURITY MODE 


TYPE OF DATA TIME OF OPERATION* 


Level I 
SCI 
SIOP-EST 
TOP SECRET 
SECRET 
CONFIDENTIAL 


Level II 
Privacy Act 
For Official Use Only 
Financial 
Sensitive Management 
Proprietary 
Privileged 


Level III 





TOTAL 100% 
(Note: Applicable security modes are: Compartmented, 


Controlled, Dedicated, System High, Multilevel, Limited 
Access, as defined in Appendix A of this manual.) 
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OPNAVINST 5238.1A 
AUG 3 1982 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


6. Operating System and Standard Applications Software 
Identifications: 


7. j%Scope of System: (Check all that apply.) 


( ) Stand-alone and single controlled area (single CPU 
with single workstation). 


( ) Shared logic and single controlled area (single CPU 
with multiple workstations). 


( ) Shared logic and more than one controlled area (single 
CPU with multiple workstations). 


( ) Multiple processors and single controlled area (multiple 
Cpus). 


( ) Multiple processors and more than one controlled area 
(multiple CPUs). 


( ) Used with a remote computer percent of 
time. 


{ ) Other: 





8. Total Value of System: S$ (Dollar value 
impact of loss and cost to replace) 


A. Equipment: §$ 





B. Software: $ 
Cy vata: $ 


(Note: Dollar values in Table E-2 can be used as a 
suideline for computing value of data files.) 
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OPNAVINST 5239.1A 
AUG 3 1982 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


9. Mission Relatedness 


A. Primary Function(s) of the System or Network: 


B. Contingency Plan Requirement: 
( ) Plan is in existence. Date of plan is 


( ) Plan is being developed. Estimated completion 
date is : 


( ) Plan is not required because loss of processing 
capability for a reasonable period of time would 
not adversely affect mission. (For example, 2, 

4, 8 hours, 2 days, etc. depending on the criti- 
cality of the ADP function.) Provide justification. 


Section II. Site Security Profile and Minimum Requirements for 
Env:ronmental and Physical Security. (Applies to all ADP systems, 
networks, and OISs.) 


1. Vulnerability: Temperature or Humidity Outside Normal 
Range, 


Operating Countermeasures: (Check all that apply.) 


Adequate heating and controls 

Adequate cooling and controls 

Only designated personnel operate controls 
Functioning temperature and humidity recorder 
Functioning temperature/humidity warning system 
Other: 


ee ee et ge ee el 





Assessment of Risk: 


( ) High ( ) Moderate ( ) Low 
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AUG 3 


2. 


1982 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


Vulnerability: Inadequate Lighting or Electrical Service, 
Operating Countermeasures: (Check all that apply.) 


Adequate primary lighting 

Adequate emergency lighting 

Adequate periodic checks of emergency lighting 
Adequate primary power and outlets 

Functioning power filters or voltage regulators 
Available backup power 

Other: 


Assessment of Risk: 

( ) High ( ) Moderate ( ) Low 
Vulnerability: Improper Housekeeping. 

Operating Countermeasures: (Check all that apply.) 


( ) Routine cleaning schedule is adhered to 

( }) Cleaning personnel are trained in computer room 
procedures 

( ) An ADP facility representative is present durina 
cleaning 

( ) Dust contributors are not permitted in equipment 
areas (Outer coats, throw rugs, drapes, venetian 
blinds, etc.) 

( ) Air-conditioning filters are cleaned/replaced 
regularly 

( ) Floors are polished with non-flake wax using proper 
buffer materials or properly damp-mopped 

( ) Carpet areasS are vacuumed frequently and anti-static 
Spray is used regularly 

( ) Smoking, eating, and drinking are not permitted in 
equipment areas 

( ) Other: 





Assessment of Risk: 


( ) High ( ) Moderate ( ) Low 
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SAMPLE FORMAT 
ADP SECURITY SURVEY 


Threat: Water Damage. 
Operating Countermeasures: (Check all that apply.) 


Water/steam pipes are not located above equipment 
Water/steam pipes are inspected at regular intervals 
Punctioning humidity warning systen 

Dry-pipe sprinkier system 

Raised floor 

Plastic sheets available to cover susceptible equipment 
Water detection devices 

Other: 





Assessment of Risk: 


( ) High ( ) Moderate ( ) Low 


Threat: Fire. 


Operating Countermeasures: (Check all that apply.) 


Up-to-date fire bill posted 

Periodic fire drills 

Training--fire prevention methods 
Training--emergency power down procedures 
Trainng--knowledge of fire detection system 
Training--use of fire extinguishers 
Training--use of fire alarm system 
Training--evacuation plan 
Training--individual responsibilities in case of fire 
Punctioning emergency power-off switches 
Sprinkler aystem installed 

Halon system instalied 

Carbon dioxide fire extinguishers installed 
Smoke/heat detectors installed 

Functioning fire alarm systen 

Emergency exits clearly marked 

Other: 


ee ee Oe ee ee ee ee Cee et ee ee Bae el ee Sue See? See? 
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Assessment of R1SK: 


( ) Bigh ( ) Moderate ( ) Low 
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OPNAVINST 5238.1A 
AUG 3 1982 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


6. Vulnerability: Unauthorized Physical Access. 
Operating Countermeasures: (Check all that apply.) 


Perimeter fence 

Security guards 

Building secured outside of normal working hours 
Area alarms (motion detectors, open door detectors, 
perimeter penetration detectors) 

Authorized access list 

Cypher door lock 

Combination door lock 

Recognition of authorized personnel 

Closed circuit television 

Administrative procedures 

Physical isolation/protection 

High employee morale 

Close supervision of employees 

Indoctrination of personnel in security awareness 
Other: 


om™!, F™ ™r ™ 
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Assessment of Risk: 
( ) High ( ) Moderate { ) Low 


SECTION III. Current status of accreditation support documentation. 
(Applies to all ADP activities and networks which will be authorized 
to handle Level I or Level II data.) 


1. All ADP activities and networks which will be authorized 
to handle Level I or II data must either be accredited or be 
granted interim authority to operate pending accreditation. 
Accreditation is based on supporting documentation including a 
risk assessment. This section provides a statement of the current 
status of the accreditation support documentation. (Check all 
that apply.) 
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OPNAVINST 5239.1A 
AUG 3 1982 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


In existence 

Being developed 

Required but no action taken 
Not required 


( ) ( ) Security Operating Procedures Handbook 

( ) ( ) Line diagrams showing interconnection of 
components and physical layout 

) Description of countermeasures in place 

Copies of previous accreditation or interim 

authority to operate 

TEMPEST accreditation request 

TEMPEST accreditation test results 

Physical accreditation 

ST&E Test Plan 

Contingency Plan 

Contingency Plan test results 

Formal Risk Assessment 

Other (specify): 


a, go, 
—_? 


o™ FE! |! ™ ™ ™  ™ 
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Countermeasure Documentation for Office Information 


(Applies to all OISs which will be authorized to handle 
Level I or Level II.) 


l. OI3s Handling Level II Data. (Check all that apply.) 


( 


( 


( 


) 


) 


The OIS will be authorized to handle Level II data. 
A list of the operating countermeasures is attached. 
These countermeasures provide proper data vorotection 
and audit trails. 


The OIS is a Shared logic system with more than one 
Simultaneous user not having need-to-know for all 
Gata within the system. Password protection or other 
equivalent countermeasures are employed for system 
access and for individual file access. 


The OIS Security Operating Procedures have been 
documented and aporoved. 
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OPNAVINST 5238.1A 
AUG 3 1382 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


2. OSs handling Level I Data. (Check all that apply.) 
( ) The OIS will be authorized to handle Level I data 
under a system high or dedicated mode of operation. 
A list of the operating countermeasures is attached. 
These countermeasures satisfy security requirements. 


( ) TEMPEST accreditation has been requested. Request 
date ‘ 


( ) TEMPEST accreditation has been received. Accreditation 
date : 


( ) The OIS Security Operating Procedures have teen 
documented and approved. 


SECTION V. Survey Data. (Applies to all ADP systems, networks, 
or OISs.) 


l. Current Status: (Check all that apply.) 


( } Operating under accreditation for processing Level 


data in security mode of 
Operation. Accreditation granted by : 
Da-ed - (Attach a copy of statement c 


accreditation.) 


( ) Operating under interim authority for processing Level 


data in security mode of operation. 
Interim authority granted by . Dated 
Expires g (Attach a copy of 


interim authority to operate.) 
2. Survey Prepared By: 
Name: Code: 


Bldq:_ Room: Phone: 
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AUG 3 1982 


SAMPLE FORMAT 
ADP SECURITY SURVEY 


To the best of my knowledge, the information provided in 


this survey and the attached documentation is complete 
and accurate. 


Signature | Date 


(Provide a list of all survey team members.) 
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EXAMPLES OF ASSETS 


HARDWARE 


@ Central Machine 
cPeu 
Main memory 
1/O channels 
Opecatoc’s console 
@ Storage Medium 
Magnetic media 
Disk pacx 
Magnetic tapes 
Disketres (floppies) 
Cassettes 
Orums 
Nonmagnetic metia 
Punched cacd3 
Paper tase 
Papec orintoit 
@ Special intecfac > Equipment 
Network front ‘nds 
Data base nachines 
Intelligens coitcollecs 
@ 1/0 Devices 
User diceczed (/0 devices 
Printer 
Card ceailec 
Card punch 
Papec tare cadec 
Tecminal3 iaeal and cemote 
Storage 1/7 device 
Dis« drives 
Tape deceives 


SOFTWARE 


@ Operating System 
@® Programs 
“Applicat:on 
Standard application/operating programs 
System utilities 
Test programs 
Conmunications 


PHYSICAL 


@ Environmental Systems 
Air-cond .tioning 
Power 
Water 
Lighting 

@ Building 

@ Computer Facility 
Computer room 
Data reception 
Tape and giskx library 
Customer engineer roon 
1/O area 
Data prervaration area 
Physical plant room 

@ Backup Equi cment 
Auxiliary power 
Auxiliary environmental controls 
Auxiliary supplies 

@ Supplies 
Magnetic media 
Paper 
Ribbons 


Z09 


PERSONNEL 


@ Computer Percsonnel 
Supecvisory personnel 
Systems analysts 
Progcammercs 
Applications programmers 
Systems proge ammecs 
Operators 
Libcarian 
Secucity Officec 
Maintenance personnel 
Tempocacy employees and «onsultants 
System evaluators and aucitors 
Clecical personnel 
@ Building Personnel 
Janitors 
Guards 
Pacility engineecs 
@ Installation “Management 


ADMINISTRATIVE 


@ Documentation 
Softwace 
Hacdwace 
File 
Pcogcam 
JEL 
System 

@ Operations 
Schedules 
Opecating guidelines 
and manu3ls 


Audit documents 

@ Procedures 
Emerqency olans 
Secucity proceducses 
1/0 peoceduces 
Integrity controls 

@ (tnventocy Records 

@ pecational Procedures 
Vital cecords 
Peiocity-cun schedule 
Peoduction procei.ces 


DATA 


Classified 
Operations 
Tactical 
Planning 
Financial 
Statistical 
Personal 
Logistle 
9ther 


eeee eee? & 


COMMUNICATIONS 


@ Communications Equipment 
Communicstions lines 
Communications processors 
Multiplexors 
Ewitcehing devices 
Telephones 
Modems 
Cables 
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1, ASSET NAME 
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System \ Onrerating System and Suopert Programs 


2. aSSET CESCRIPTION ANO sUSTIFICATION OF iMPACT VALUE RATINGS ASSIGNEO. 


Operating system and conniler support software for the System ‘A’ 
timesharing system. 


Impact of modification was determined tn be negligible, except in those 
eases where modification would result in denial of service. Those 
figures were included under Ceenial of service. 


Destruction was hased on total cestruction of all software and on-site 
backuo tapes. These fiaures include denial of service caused hy 
destruction. 


Forty hours is required for deliveczy and check cut of reolacement O/S 
software. 75 users denied service at $l2/hourc; olus 6 svstem proarammecse 
at $14/hour for 16 hours; plus 3 data nmrocessing technicians at $8/hour 
for 36 hours. Total for the operating system = $39,936. 

Sixty users denied use of the compiler at $12/hourc for 24 hours; plus 

l system programmer at S$l4/hour for 8 hours. Total for the compiler 
support software = $1,332. 


Reconstruction of comoiler support data based on 613 hours to re-enter 
data at S$8/hour. Total for compiler Support data = $4,944. 


Disclosure - N/A, 


Denial of service was hasead on the rumber of users denied service for 
an average service outade. 


Operating system: 35 users at $l7/hourc for 1 hour = $420. 
Compiler support software: 35 users at $12/hour for .© hours = $21N. 


Compiler support data - N/A. 


5. IMPACT VALUE RATING BY IMPACT AREA 


N{7J] MOOIFICATION (5) O€sTRUCTION N{A] OIScLosuRE CG) cena oF service 
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THREAT AND VULNERABILITY EVALUATION WORKSHEET 


i. TeREAT NAME 
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Alteration of Software 





Dy Psy i sd es SS 
2. OESCRIPTION, EXAMPLES, ANO JUSTIFICATION BASEO ON EXISTING COUNTERMEASURES 4NO VULNERABILITIES. 


The ADP system or application software may be altered in an unauthorized 
Manner. Software may ».e modified or destroyed, adversely affecting 

the data processed. Software alterations may result in proaram or 
system failure and denial of service to users. 


Payroll and inventory control proocram alterations could result in mcnetary 
loss. Disclosure of the software itself is not a threat, but softwere 


changes could affect the data heing processed, resulting in modification 
or disclosure of data. 


There have been five incidents in the last six months where unauthorized 
software patches have crashed the system for neriods ud to a day. File 
maintenance software failed twice erasing the master data hase, Recon- 
struction required 645 hours. Default ontions on the application software 
were misprocrammed resulting in erroneous processing. Software generating 
control totals failed causing reruns. The program linkage control 

table software failed, thus oreventing authorized programs from acc2ssing 
required software modules. Down time amounted to 6 hours. 


There are few audit trail features on the system. Configuration control 
procedures have not been formally documented. A password system 15 
used, hut passwords are infretuently changed and often commonly known 

or readily available. A large number of cersonnel nave virtually 
unlimited access *o the system. Users can access the sSvstem 24 hours 
aday. Software documentation does not keeo pace with vroaram changes. 


3. SUCCESSFUL ATTACK FREQUENCY RATING BY iMPACT AREA. 


| 2] MODIFICATION DESTRUCTION [2] orsctosune a OENIAL OF SERVICE 
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ADDITIONAL COUNTERMEASURE EVALUATION WORKS HEET 


$, TOWN TERWTESG LAS awe 2 @NNUAL COST 
Audit Trail & Daily Review Sv ADPSSO $26,000 
3 UCSCRIPTION 











Review system software ($15,000}, develop software controls (35,(€)0), and 
degradation of system operation with controls in place and svstenm ictivity 
data reviewed daily by ADPSSO ($16,900 annually). Cost amortizec over 5 
years = $26,090. Develop software controls to capture system activity data 
(user name, log on/off time, terminal used, files requested, tvpe of access, 
Output generated). ADPSSO review daily to check for unusual user activity 

in the system. 


4 3 ALE 6. 
FRREATS aFFECTEO BY THiS COUNTERME aSuREe 


a inl ALE SAVINGS 
CURRENT PRIJECTED 


Altercation of Software 90.3K 


Misuse of Resources 128.6K 





7, RETURN ON INVESTMENT 6. TO « 
aA, 
7.851 SAV SS 201 .8K 


2 OVER Aaa acl TIONAL eA Sl Sel alae 
twarc Sheca sum 


Improved eee ocd: Procedures 

Modify Operating System to Permit Terminal Lockout after a Specif. 1d Number 
o€ Peoteeess ful Log on Attempts 

Improved Vonfiguration Control Procedures 
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ADDITIONAL COUNTERMEASURES SUMMARY LISTING 


on ALE SAVINGS ; : 
> ANNUAL | = COUNTER MEASURE MANDATORY AEQUIRE MENT 
omiginat { advusteo | SoS  ‘onisinat | avusTeD 


Vy £ paiLy 
26K | 251.9 Ranir 7eain ! 
. REyiEL BY ADPSO 


wa 
ow 


OK | 36.6% MoDiFY OPERATING 
PAK SYSTEM TO beERmIT 
° TERMINAL LECKOUT 


EPS Ge Ibs SOFTWARE CHECKLUIS 
Yak 
3K | 12.9% TMPCOVED PASSWORD 
PROLEDURES 
3.9K 
3K | 4.5K TMPROVED CONFIG™ 
3.3K URATION CONTROL 
PROCEDURES 





w | O&K | 748K Two PERSON 
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APPENDIX C 


SULDE EINES POR SDWESEGNATING POSITIONS 
RoJOCeR LEO Bao COMPUTER SYSTEMS 


A-1, COVERAGE 


This appendix provides specific criteria and 
amplifying guidance for determining the cate- 
gory of each position associated with Federal 
computer systems. This policy applies to 
positions in the competitive service occupied by 
Federal civilian employees. Depertments and 
agencies may wish to adopt simular policies for 
any other personnel involved with, or having 
access to data in, Federal computer systems. 


A-2. CRITERIA FOR DESIGNATING 
POSITIONS 


Three categories have been established for 
designating computer and computer-related 
positions—ADP-I, ADP-II, and ADP-III. 
Specific criteria for assigning positions to one of 
these categones is as follows: 

Criteria 

— Responsibility for the develop- 
ment and acmunistration of 
agency computer security pro- 
grams, and also including direc- 
tion and control of risk analysis 
and/or threat assessment. 

—Significant involvement in life- 
critical or mission-critical sys- 
tems. 

—Responsibility for the prepara- 
tion or approval of data for 
input into a system which does 
not necessarily involve personal 
access to the system, but with 
relatively high risk for eifecting 
erave damage or realizing sig- 
nificant personal gain. 

— Relatively hich risk assiznments 
associated with or directly in- 
volving the accounting, dis- 


Category 
ADP-I 


Criteria 

bursement, or authorization for 
disbursement from systems of 
(1) dollar amounts of $10 million 
per year or greater, or (2) lessor 
amounts if the activities of the 
individual are not subject to 
technical review by higher au- 
thority in the ADP-1 category 
to insure the integrity of the 
system. 

—Positions involving major re- 
sponsibility for the direction, 
planning, design, testing, main- 
tenance, operation, monitoring, 
and/or management of systems 
hardware and software. 

—QOther positions as desicnated by 
the agency head that involve 
relatively high risk for effecting 
grave damage or realizing sig- 
nificant personal gain. 

—Responsibility for systems de- 
sign, operation, testing, main- 
tenance, and/or monitoring that 
is carried out under technical 
review of higher authoiity in the 
ADP-I category, to insure the 
integrity of the system. This 
category includes, but is not 
limited to: 

(1) access to and/or processing 
of proprietary data, infor- 
mation reqti:ing protection 
under the Privacy Act of 
1974, and Government-de- 
veloped privileged :nforma- 
tion involving the award of 
contracts; 

(2) accounting, 


Category 


ADP-II 


disbursement, 


Zane 





Category Criteria 


or authorization for dis- 
bursement from systems of 
dollar amounts less than $10 
million per year. 

—Other positions as designated by 
the agency head that involve a 
degree of access to asystem that 
creates a significant potential 
for damage or personal gain less 
than that in ADP-I positions. 

—All other positions involved in 
Federal computer activities. 


ADP-III 


A-3. GUIDELINES FOR APPLYING 
CRITERIA TO SPECIFIC POSITIONS 


In determining category levels for Federal 
computer positions, agency heads should con- 
sider not only the specific requirements of the 
position, but also the relationship of those re- 
quirements to the informational system that 
the position services. For example, information 
that is not in itself highly sensitive may in 
combination with similar, low sensitive data 
produce a highly sensitive system. A position, 
which involves limited access to and use of 
selected systems data for specific purposes dur- 
ing limited periods of time in a contrelled situ- 
ation, may be considered for a lower ADP cate- 
gory. Such positions might have less potential 
for harm than a position essociated with the 
system’s design, operation or maintenance in- 
volving access to or control of !arge amounts of 
data in the system which, in combination, may 
be extremely critical to lite or mission. 

Application of the criierin for designating 
category levels of individual positions normally 
does not fit a precise formula. .\ determination 
must be made on the basis of judement, con- 
sidering numerous factors, including, but not 
necessarily limited to: 

—the degree of supervision or review afforded 

the occupant of the position; 


—the extent of security and protective 
measures in effect; 

—the nature of the data being processed: 

—the degree to which the data being proc- 
essed Is accessible by the individual through 
outside terminals; 

—the extent to which responsibility for viola- 
tions or attempted violations of computer 
systems security can be established; 

—the extent to which the activities associated 
with the position are performed in isolation 
from concurrent processes; and 

—the degree of accessibility to other data in 
a system through intrusion by telecom- 
munications or time sharing. 

Based upon these and other considerations, 
agencies should define determinants such as 
significant involvement, grave damage, and 
significant personal gain in terms of the in- 
dividual agency mission and the relative risks 
associated with the particular system or systems 
involved. On a continuing basis, an assessment 
of all category designations should be made to 
identify any changes in the data available or 
the «luties and responsibilities of the position 
that would cause the position to be placed in a 
higher or lower category level. 


A-t, SCREENING PERSONS FOR ASSIGN- 
MENT TO ADP-I, ADP-IT], AND ADP-III 
POSITIONS 


Heads of agencies are responsible for deveclop- 
ing criteria for screening persons for assignment 
to ADP-I, ADP-II, and ADP-III positions. 
The OPM’s suitability guidelines in Federal 
Personnel Manual Supplement 731-1 and the 
guidelines in Executive Order 10450 may be 
used in developing this criteria. Agencies should 
also consider any other factors which have a 
bearing on the person’s trustworthiness. In- 
dividual agency criteria for Federal civilian 
competitive service positions may also be used 
for any other personnel associated with Federal 
computer systems. 
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APPENDIX D 


COMPUTER PROGRAM DOCUMENTATION 


COMPUTER PROGRAM DOCUMENTATION 


Opinions vary on what constitutes adequate and complete documentation of 
operational computer programs. It is generally agreed, however, that atleast four 
categories of Cocumentaticn are required if long and complex programs are to be 
significantly changed or sudjected to other scrutiny. 

The four categories are system flowcharts, detailed program flowcharts, source 
programs, and ccmeuter runsheets. Still other categories of documentation may 
be found when the auditor embarks on an audit of documentation supporting 
computer programs. The documentation may be piaced in 12 different cate- 
gories. They are expiained here to show the relationship of various forms of doc- 
umentation to the four first mentioned. The auditor is cautioned, however, that 
each EDP instailaticn mav not place the documentation in the precise categories 
described here. Scme ofthe 12 categories may nave been combined, others may 
have been eliminated or omitted, and still others may have been added. 


1. Cover Sheet. The purpese of the cover sheet is to identify the computer pro- 
gram by Giving such information as program name, program number, purpose (a 
brief nontechnical description cf the prcdlem solved by the program), source lan- 
guage used (such as COBOL or FORTRAN), EDP configuration that the program 
was designed for, prcgrammers name, and date of the program. Even though 
helpful, the cover sheet is not an absolute necessity Cecause the infcrmation it 
contains is usually shown 2!sewhere in the documentation or is easily obtained. 


2. Forms Layout. The purpose of this section is to show the content of inout and 
output documents and reports. if it is not included in the documentation, It is usu- 
ally available from other sources, Such as current reports and currently used in- 
put documents. 


3. Definitions. The purpose of this section is to define all symbolic names used 
anywhere in the program documentation. Symbolic names are a0breviated terms 
that are used in place of longer names, terms, or titles. For example, one of the 
input documents in the forms layout section may show a form space and identify 
its contents as “TAXDED.” Reference to the definitions section might show that 
“TAXDED” means “Tax Deduction. ' This section may also contain any tables or 
other information the programmer feels should be defined. A table might show, 
for example, the number of dependents in one column and the applicable tax de- 
duction in an adjacent column. 
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Like the forms layout section, the definitions may be available from other sources 
if they are not defined in a separate section of documentation. As an example, 
definitions may be recorded on system flowcharts and detailed program flow- 
charts (explained later) or defined in the comments contained in the source pro- 
gram. Of course. the symbolic names used may have an obvious or easily 
determinable meaning. In that case, the definitions may not be essential. 


4. System Flowchart. The purpose of the system flowchart is to show the flow 
of werk, documents, and reports in a specific data processing job. It is designed 
to demonstrate how the data processing job is organized from beginning to end. 
It is general in nature because it does not specify the detailed and specific com- 
puter steps that are necessary for a particular processing run. (This detail is a 
function of the detailed program flowchart described later.) 


Special data processing symbols are used ina system flowchart, along with sym- 
bolic names, previously described, and English language statements to describe 
flow of work, documents, and reports. By referring to the system flowchart, pro- 
grammers and others can find out how the overall data processing jcb is organ- 
ized, the source of type of input records, the point at which input records are 
Introduced into the computer for processing, the sequence of the overall process- 
ing, all resulting output — such as printed reports — and the ultimate destination 
of the output. 


This type of information is not usually available from another source unless it can 
be recalled by the people who worked on the program or unless it can be recon- 
Structed from other detailed data processing records or current practices. Recon- 
Struction can take a great deal of time if the data processing job is a lengthy one. 
Sesides, itis nota good practice to rely on an individual's memory, because some 
important detaiis may be forgotten or the individual may leave the company. 


5. Detailed Program Flowchart. Like the system flowchart, the detailed pro- 
gram flowcnart uses special data processing symbols, symbolic names, and Eng- 
lish language statements. Unlike the system flowchart, however, the detailed 
Program flowchart shows a step-by-step sequence in implementing a data proc- 
essing job so that it can be made operational. 


Itis from the detailed program flowchart that the programmer prepares the actual 
computer procram (called a source program) to be compiled and executed by the 
computer. Unless the source program is simple and only a few source program 
steps are required, a current detailed program flowchart is a valuable tool to the 
programmer in making necessary changes at a later date. 


Because of its extremely detailed nature, itis important that the detailed program 
flowchart be kept current. Otherwise, important and minute details may be for- 
gotten and the orogrammer may find it difficult or impossible to make changes in 
the related source pregram when the need arises. This is particularly true if the 
changes are to be made by a programmer other than the one who initially pre- 
pared the detailed program flowchart and source program. For some complex 
source programs, the programmer may prepare several program flowcharts, 
each becoming progressively more detailed until one of them possesses the de- 
tail that is necessary for writing the source program. When making program 
changes, the detailed program flowchart is almost always used in conjunction 
with the source program (described on item 7). 
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6. Program Description. This section describes how the logic of the source pro- 
gram was developed, using the higher-level language (such as COBOL or FOR- 
TRAN) and the computer. It is a detailed flowchart in prose form. Sometimes, 
because COBOL is near to English. this section is not prepared for source pro- 
grams written in COBOL. If it is not prepared. the same information is almost al- 
ways available from the detailed program flowchart or the source program, except 
without the detailed and sometimes lengthy prose statements which explain why 
specific procedures were followed. 


7. Source Program. This section contains the actual program as it is written in 
such higher-level languages as COBOL or FORTRAN. By comparing the detailed 
program flowchart with the actual source program, the programmer or otherscan 
trace each step of the computer through to a final conclusion. In reviewing and 
making changes in the proarams, the programmer must generally refer to the 
source program to determine precisely how the higher-level language statements 
were used before the current review and change became necessary. 


The detailed program flowchart is useful in determining the purpose of specific 
source program statements. Some EDP installations may also follow the practice 
of requiring programmers to include English language comments in the source 
program to briefly explain the purpose of each program step. Such comments are 
useful and, together with the detailed program flowchart, can provide a clear audit 
trail that shows the step-by-step procedure that was followed in developing the 
source program. 


Sometimes, English language comments in the source program are sufficient to 
permit an accurate review of or change in the comouter program. This, of course, 
depends upon the extent and clarity of the English language comments, the 
length and complexity of the source program, and the extent of the required re- 
view or program chanaes. 


If a current copy of the source program is not formally kept as documentation, it 
can usually be obtained from punched cards that were used to introduce the 
source program into the comouter or from other storage devices, such as mag- 
netic tape, that may be used to hold the information. 


8. List of Test Data. This section identifies the test data used by the programmer 
in testing the source program after it was written. The results are shown in the 
Test Report (described in item 10). 


9. Sample Output. This section contains sample output resulting from the source 
program. Examoles of output include reports and punched cards. if this informa- 
tion is not included in the dccumentation it is usually easily obtained by referring 
to recent output that resulted from EDP processing runs. 


10. Test Report. This section explains the results that were obtained when the 
source program was tested to determine whether it was operational. If test data 
and test reports are not included in the documentation, the programmer can pre- 
pare other test data to determine the current effectiveness of the source program. 


11. Deck Setup. This section gives the order of the source program card deck. 
ltis similar to the source program (see item 7), but it is notin as much detail. The 
source program is an exact duplication of the computer program in the higher- 
level lanquage. The ceck setup shows the order of the related card deck, but itis 
usually subdivided by major category and does not outline each program step. 
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This section may include such other information as requirements for peripheral 
equipment (magnetic tape drives, card readers, and card punchers), the time 
limit for the computer program when it is being executed by the computer, and 
special control cards needed for a successful run of the job. This information is 
also available from the programmer. 


12. Computer Run Sheet. This section contains information needed by the con- 
sole operator for running the computer program, such as the magnetic tapes or 
disks to be mounted, the names and usage of all input files, any central process- 
ing unit (CPU) console messages that may appear during the run, and any oper- 
ator action to be taken as a result of these messages. This information is also 
usually available from retained copies of the CPU console messages from pro- 
grammers responsible for maintaining the source program. 
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APPENDIX §& 


CONTINGENCY PLAN OUTLINE 


Part One--Preliminarv Planning 


Purpose 
@e Reason for plan 


@ Objective 


Scope 
Sune oolicability of plan 
--Data center 1 


--Data center 2 


Assumptions 
Events included 


Events excluded 


e Priorities 


@® Support commitments 


Responsibilities 

e Plan preparation/maintenance 
@e Emergency chain of command 

@e Operations supervisor 
* 


Shift supervisor 


SErateqy 
e Emergency response 
@e Backup operations 


@e Recovery 


Record of Changes 
@e Change sheet 


e Plan distribution 
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Part Two--Preparatory Actions 
People 


e Complete listing of assigned personnel with address, 
phone number, etc. 


Emergency notification roster(s) 
Team composition 
--Recovery Team A 


--Recovery Team B 


Data 

e On-site inventory 

e Off-site inventory 
--How/when rotated 


e Critical files needed for backup site processing 


Software 
Se oy seem 
--On-site inventory 


--Off-site inventory 


—How/when updated 
e® Applications 
—-=On-site inventory 
--Off-site inventory 


—How/when rotated 


Hardware 


@e inventory list reflecting vendor, name, address, 
etc. 


Emergency acquisition agreement 


Sample order forms, etc. 


Communications 
e Current on-site requirements 


e Requirements for backup site(s) 
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Supplies 


e List of critical supply items with all necessary 
information (e.g., stock numbers for ordering) 


List of vendors who provide supplies 
List/location of supplies needed for backup site 
processing 

Teams ponttat lon 

e Requirements for recovery operations/backup site(s) 


e Procedures for obtaining emergency transportation 


space 
e Current site requirements (lay-out of facility) 


e Backup site space available, by site 


Power and Environment 
® Current site requirements 


e Backup site requirements 


Documentation 

e On-site inventory 

e Off-site inventory 
--How/when updated 

e List/location of critical documentation needed for 
backup site processing 

OGne xr 

e Alternate site agreements 


e Contracts 


Test Plans 
e PlanaA 
e Plan B 


Part Three--Action Plan 


Emergency Response 
e Scenario 1 
® Scenario 2 


e Scenario n 
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Bee Backup Operations 
@® Scenario l 
® Scenario 2 


e Scenario n 


Bi. 3 Recovery Actions 
@® Scenario l 
@e Scenario 2 


e Scenario n 


NOTE: The exclusion of any item in the examples above does 
not imply that further entries may not be required for any 
Facility. The purpose of the example entries is to suggest, 
generally, possible relevant entries for each facility's 
contingency plan. Most planners will undoubtedly discover 
that in order to provide complete coverage, further expan- 
sion of the outline will be necessary. [Ref. 32: pp. 30-32] 
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